CAPEC-593: Session Hijacking
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
执行流程
步骤 1 Explore
[Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
步骤 2 Experiment
[Insert Found Session Token] The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.
步骤 3 Exploit
[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
前提条件
- An application that leverages sessions to perform authentication.
所需技能
所需资源
- The adversary must have the ability to communicate with the application over the network.
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Gain Privileges
说明: A successful attack can enable an adversary to gain unauthorized access to an application.
缓解措施
Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1185 | Browser Session Hijacking |
| ATTACK | 1550.001 | Use Alternate Authentication Material:Application Access Token |
| ATTACK | 1563 | Remote Service Session Hijacking |
| OWASP Attacks | - | Session hijacking attack |