CAPEC-593: Session Hijacking

Description
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

Very High

Possibility :

High

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-21: Exploitation of Trusted Identifiers Exploitation of Trusted Identifiers CAPEC-33: HTTP Request Smuggling HTTP Request Smuggling CAPEC-34: HTTP Response Splitting HTTP Response Splitting CAPEC-60: Reusing Session IDs (aka Session Replay) Reusing Session IDs (aka Session Replay) CAPEC-61: Session Fixation Session Fixation CAPEC-102: Session Sidejacking Session Sidejacking CAPEC-105: HTTP Request Splitting HTTP Request Splitting CAPEC-107: Cross Site Tracing Cross Site Tracing CAPEC-273: HTTP Response Smuggling HTTP Response Smuggling
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An application that leverages sessions to perform authentication.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Browser Session Hijacking ATTACK | Use Alternate Authentication Material:Application Access Token ATTACK | Remote Service Session Hijacking OWASP Attacks | Session hijacking attack
Resources required

The adversary must have the ability to communicate with the application over the network.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-287: Improper Authentication

Visit http://capec.mitre.org/ for more details.