CAPEC-59 Detail

CAPEC-59

Name

Session Credential Falsification through Prediction

Likihood attacks

High

Typical Severity

High

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2021-06-24
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Informations CAPEC

Execution Flow

1) Explore

[Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.

Technique

An attacker makes many anonymous connections and records the session IDs assigned.
An attacker makes authorized connections and records the session tokens or credentials issued.

2) Explore

[Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

Technique

Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

3) Experiment

[Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID.

Technique

The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

4) Exploit

[Use matched Session ID] The attacker uses the falsified session ID to access the target system.

Technique

The attacker loads the session ID into their web browser and browses to restricted data or functionality.
The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.

Prerequisites

The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Skills Required

There are tools to brute force session ID. Those tools require a low level of knowledge.
Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

Mitigations

Use a strong source of randomness to generate a session ID.
Use adequate length session IDs
Do not use information available to the user in order to generate session ID (e.g., time).
Ideas for creating random numbers are offered by Eastlake [RFC1750]
Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Related Weaknesses

CWE-ID	Weakness Name
CWE-290	Authentication Bypass by Spoofing This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-330	Use of Insufficiently Random Values The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CWE-331	Insufficient Entropy The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
CWE-346	Origin Validation Error The product does not properly verify that the source of data or communication is valid.
CWE-488	Exposure of Data Element to Wrong Session The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
CWE-539	Use of Persistent Cookies Containing Sensitive Information The web application uses persistent cookies, but the cookies contain sensitive information.
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-6	J2EE Misconfiguration: Insufficient Session-ID Length The J2EE application is configured to use an insufficient session ID length.
CWE-285	Improper Authorization The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-384	Session Fixation Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CWE-693	Protection Mechanism Failure The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Execution_Flow
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Taxonomy_Mappings
CAPEC Content Team	The MITRE Corporation	2021-06-24 +00:00	Updated Related_Weaknesses