CAPEC-196: Session Credential Falsification through Forging

Description

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

Extended Description

The possible outcomes of a Principal Spoof mirror those of Identity Spoofing. (e.g., escalation of privilege and false attribution of data or activities) Likewise, most techniques for Identity Spoofing (crafting messages or intercepting and replaying or modifying messages) can be used for a Principal Spoof attack. However, because a Principal Spoof is used to impersonate a person, social engineering can be both an attack technique (using social techniques to generate evidence in support of a false identity) as well as a possible outcome (manipulating people's perceptions by making statements or performing actions under a target's name).

Severity :

Medium

Possibility :

Medium

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-21: Exploitation of Trusted Identifiers Exploitation of Trusted Identifiers CAPEC-59: Session Credential Falsification through Prediction Session Credential Falsification through Prediction CAPEC-61: Session Fixation Session Fixation CAPEC-226: Session Credential Falsification through Manipulation Session Credential Falsification through Manipulation CAPEC-384: Application API Message Manipulation via Man-in-the-Middle Application API Message Manipulation via Man-in-the-Middle

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium Forge the session credential and reply the request.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Access Token Manipulation: Create Process with Token ATTACK | Access Token Manipulation: Make and Impersonate Token ATTACK | Forge Web Credentials

Resources required

Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-384: Session Fixation

CWE-664: Improper Control of a Resource Through its Lifetime

Visit http://capec.mitre.org/ for more details.