CAPEC-59 Session Credential Falsification thro...

CAPEC-59 Metadata

Likelihood of Attack

High

Typical Severity

High

Overview

Summary

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Prerequisites

The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.	An attacker makes many anonymous connections and records the session IDs assigned. An attacker makes authorized connections and records the session tokens or credentials issued.
2	Explore	[Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.	Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections. Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
3	Experiment	[Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID.	The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.
4	Exploit	[Use matched Session ID] The attacker uses the falsified session ID to access the target system.	The attacker loads the session ID into their web browser and browses to restricted data or functionality. The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.

Potential Solutions / Mitigations

Use a strong source of randomness to generate a session ID. Use adequate length session IDs Do not use information available to the user in order to generate session ID (e.g., time). Ideas for creating random numbers are offered by Eastlake [RFC1750] Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Related Weaknesses (CWE)

CWE ID	Description
CWE-6	J2EE Misconfiguration: Insufficient Session-ID Length
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-285	Improper Authorization
CWE-290	Authentication Bypass by Spoofing
CWE-330	Use of Insufficiently Random Values
CWE-331	Insufficient Entropy
CWE-346	Origin Validation Error
CWE-384	Session Fixation
CWE-488	Exposure of Data Element to Wrong Session
CWE-539	Use of Persistent Cookies Containing Sensitive Information
CWE-693	Protection Mechanism Failure

Related CAPECs

CAPEC ID	Description
CAPEC-196	An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

CAPEC ID

Description

CAPEC-196

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

Taxonomy Mappings

Taxonomy: WASC

Entry ID	Entry Name
18	Credential/Session Prediction

Taxonomy: OWASP Attacks

Entry ID	Entry Name
Link	Session Prediction

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.