CAPEC-60: Reusing Session IDs (aka Session Replay)

Description

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

High

Possibility :

High

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-593: Session Hijacking Session Hijacking

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are not well protected from session theft.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.
Medium More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Access Token Manipulation:Token Impersonation/Theft ATTACK | Use Alternate Authentication Material:Web Session Cookie

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-285: Improper Authorization

CWE-290: Authentication Bypass by Spoofing

CWE-294: Authentication Bypass by Capture-replay

CWE-346: Origin Validation Error

CWE-384: Session Fixation

CWE-488: Exposure of Data Element to Wrong Session

CWE-539: Use of Persistent Cookies Containing Sensitive Information

CWE-664: Improper Control of a Resource Through its Lifetime

CWE-732: Incorrect Permission Assignment for Critical Resource

Visit http://capec.mitre.org/ for more details.