CAPEC 60 Reusing Session IDs (aka Session Replay)

Draft Detailed High Risk

Severity High

Description

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

Attack Execution Flow

Step 1

Explore

The attacker interacts with the target host and finds that session IDs are used to authenticate users.

Step 2

Explore

The attacker steals a session ID from a valid user.

Step 3

Exploit

The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

Mitigations

Always Invalidate A Session Id After The User Logout.

Protect The Communication Between The Client And Server. For Instance It Is Best Practice To Use Ssl To Mitigate Adversary In The Middle Attacks (Capec-94).

Encrypt The Session Data Associated With The Session Id.

Setup A Session Time Out For The Session Ids.

Do Not Code Send Session Id With Get Method, Otherwise The Session Id Will Be Copied To The Url. In General Avoid Writing Session Ids In The Urls. Urls Can Get Logged In Log Files, Which Are Vulnerable To An Attacker.

CAPEC 60 Reusing Session IDs (aka Session Replay)

Description

Attack Execution Flow

Step 1

Step 2

Step 3

Mitigations

Always Invalidate A Session Id After The User Logout.

Protect The Communication Between The Client And Server. For Instance It Is Best Practice To Use Ssl To Mitigate Adversary In The Middle Attacks (Capec-94).

Encrypt The Session Data Associated With The Session Id.

Setup A Session Time Out For The Session Ids.

Do Not Code Send Session Id With Get Method, Otherwise The Session Id Will Be Copied To The Url. In General Avoid Writing Session Ids In The Urls. Urls Can Get Logged In Log Files, Which Are Vulnerable To An Attacker.

Use Multifactor Authentication.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Related ATT&CK Techniques

Token Impersonation/Theft

Web Session Cookie

CAPEC 60 Reusing Session IDs (aka Session Replay)

Description

Attack Execution Flow

Step 1

Step 2

Step 3

Mitigations

Always Invalidate A Session Id After The User Logout.

Protect The Communication Between The Client And Server. For Instance It Is Best Practice To Use Ssl To Mitigate Adversary In The Middle Attacks (Capec-94).

Encrypt The Session Data Associated With The Session Id.

Setup A Session Time Out For The Session Ids.

Do Not Code Send Session Id With Get Method, Otherwise The Session Id Will Be Copied To The Url. In General Avoid Writing Session Ids In The Urls. Urls Can Get Logged In Log Files, Which Are Vulnerable To An Attacker.

Use Multifactor Authentication.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Related ATT&CK Techniques

Token Impersonation/Theft

Web Session Cookie

Iscriviti alla newsletter