CAPEC-60: Reusing Session IDs (aka Session Replay)

Detailed Draft 严重程度: High 攻击可能性: High

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

执行流程

步骤 1 Explore

The attacker interacts with the target host and finds that session IDs are used to authenticate users.

步骤 2 Explore

The attacker steals a session ID from a valid user.

步骤 3 Exploit

The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

前提条件

  • The target host uses session IDs to keep track of the users.
  • Session IDs are used to control access to resources.
  • The session IDs used by the target host are not well protected from session theft.

所需技能

Low If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.
Medium More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.

后果影响

影响范围: Confidentiality Access Control Authorization

技术影响: Gain Privileges

缓解措施

Always invalidate a session ID after the user logout.

Setup a session time out for the session IDs.

Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).

Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.

Encrypt the session data associated with the session ID.

Use multifactor authentication.

示例实例

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428

Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258

分类映射

分类名称 条目ID 条目名称
ATTACK 1134.001 Access Token Manipulation:Token Impersonation/Theft
ATTACK 1550.004 Use Alternate Authentication Material:Web Session Cookie
关键信息

CAPEC ID: CAPEC-60

抽象级别: Detailed

状态: Draft

典型严重程度: High

攻击可能性: High

相关攻击模式
ChildOf CAPEC-593

Session Hijacking

Standard
相关CWE弱点
CWE-294 CWE-290 CWE-346 CWE-384 CWE-488 CWE-539 CWE-200 CWE-285 CWE-664 CWE-732
返回列表