This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Description
Attack Execution Flow
3
1
Step 1
Explore[Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
AI Translation
[Scopri il token di sessione esistente] Attraverso vari metodi, un adversary scoprirà e memorizzerà un token di sessione esistente di un'altra sessione utente autenticata.
2
Step 2
Experiment[Insert Found Session Token] The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.
AI Translation
[Inserisci il token di sessione trovato] L'attaccante tenta di inserire un token di sessione trovato nella comunicazione con l'applicazione target per verificare la possibilità di sfruttamento.
3
Step 3
Exploit[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
AI Translation
[Session Token Exploitation] L'attaccante sfrutta il token di sessione catturato per interagire con l'applicazione target in modo dannoso, impersonando la vittima.
Mitigations
1
Properly Encrypt And Sign Identity Tokens In Transit, And Use Industry Standard Session Key Generation Mechanisms That Utilize High Amount Of Entropy To Generate The Session Key. Many Standard Web And Application Servers Will Perform This Task On Your Behalf. Utilize A Session Timeout For All Sessions. If The User Does Not Explicitly Logout, Terminate Their Session After This Period Of Inactivity. If The User Logs Back In Then A New Session Key Should Be Generated.
Consequences
Security Scopes Affected
Availability
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Relationships
Related ATT&CK Techniques
3
T1185
Browser Session Hijacking
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept …
T1550.001
Application Access Token
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services …
T1563
Remote Service Session Hijacking
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid …
Resources Required
1
The adversary must have the ability to communicate with the application over the network.