| Name |
Reusing Session IDs (aka Session Replay) |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay. |
| Prerequisites |
The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are not well protected from session theft. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
The attacker interacts with the target host and finds that session IDs are used to authenticate users. |
|
| 2 |
Explore |
The attacker steals a session ID from a valid user. |
|
| 3 |
Exploit |
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner. |
|
|
| Solutions | Always invalidate a session ID after the user logout. Setup a session time out for the session IDs. Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94). Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker. Encrypt the session data associated with the session ID. Use multifactor authentication. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 |
Improper Authorization |
| CWE-290 |
Authentication Bypass by Spoofing |
| CWE-294 |
Authentication Bypass by Capture-replay |
| CWE-346 |
Origin Validation Error |
| CWE-384 |
Session Fixation |
| CWE-488 |
Exposure of Data Element to Wrong Session |
| CWE-539 |
Use of Persistent Cookies Containing Sensitive Information |
| CWE-664 |
Improper Control of a Resource Through its Lifetime |
| CWE-732 |
Incorrect Permission Assignment for Critical Resource |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-593 |
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1134.001 |
Access Token Manipulation:Token Impersonation/Theft |
| 1550.004 |
Use Alternate Authentication Material:Web Session Cookie |
|