English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CAPEC-102

Session Sidejacking
HIGH
HIGH
Draft
2014-06-23 00:00 +00:00
2020-07-30 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

Informations

Execution Flow

1) Explore

[Detect Unprotected Session Token Transfer] The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

Technique
  • The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

2) Experiment

[Capture session token] The attacker uses sniffing tools to capture a session token from traffic.

3) Experiment

[Insert captured session token] The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

4) Exploit

[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

Prerequisites

An attacker and the victim are both using the same WiFi network.
The victim has an active session with a target system.
The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)
The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

Skills Required

Easy to use tools exist to automate this attack.

Resources Required

A packet sniffing tool, such as wireshark, can be used to capture session information.

Mitigations

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.
Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.

Related Weaknesses

CWE-ID Weakness Name
CWE-294 Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-522 Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-523 Unprotected Transport of Credentials
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
CWE-319 Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Example_Instances, Execution_Flow

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.