Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
fixates a falsified session credential into victim's browser, with the help of crafted a URL link.
A similar example uses session ID as an argument of the URL.
Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.
Skill or Knowledge Level: Medium
Forge the session credential and reply the request.
Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.
Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.
Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.
The payload activation impact is that a session identifier of the attackers' choice is considered valid and trust decisions by the application will be based on such a forged identifier.
[R.196.1] [REF-13] Thomas Schreiber. "Session Riding: A Widespread Vulnerability in Today's Web Applications". SecureNet GmbH. Dec 2004. <http://www.securenet.de/papers/Session_Riding.pdf>.
[R.196.2] [REF-3] "Common Weakness Enumeration (CWE)". CWE-384: Session Fixation. Draft. The MITRE Corporation. <http://cwe.mitre.org/data/definitions/384.html>.
[R.196.3] [REF-4] "OWASP Testing Guide". Testing for Session Management. v4 [DRAFT]. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_Session_Management>.
More information is available — Please select a different filter.