CAPEC-196: Session Credential Falsification through Forging
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
执行流程
步骤 1 Explore
[Analyze and Understand Session IDs] The attacker finds that the targeted application use session credentials to identify legitimate users.
- An attacker makes many anonymous connections and records the session IDs.
- An attacker makes authorized connections and records the session tokens or credentials.
步骤 2 Experiment
[Create Session IDs.] Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.
- The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies.
步骤 3 Exploit
[Abuse the Victim's Session Credentials] The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.
- The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality.
- The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim.
前提条件
- The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.
所需技能
所需资源
- Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.
后果影响
影响范围: Integrity
技术影响: Modify Data
影响范围: Confidentiality
技术影响: Read Data
影响范围: Authorization
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Accountability Authentication Authorization Non-Repudiation
技术影响: Gain Privileges
影响范围: Access Control Authorization
技术影响: Bypass Protection Mechanism
缓解措施
Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.
Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1134.002 | Access Token Manipulation: Create Process with Token |
| ATTACK | 1134.003 | Access Token Manipulation: Make and Impersonate Token |
| ATTACK | 1606 | Forge Web Credentials |