CAPEC-593: Session Hijacking

Description
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

Very High

Possibility :

High

Type :

Standard
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An application that leverages sessions to perform authentication.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.
Resources required

The adversary must have the ability to communicate with the application over the network.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 03, 2024 17:27