An attacker creates a session credential in order to gain or usurp access
to a service. Session credentials allow users to identify themselves to a
service after an initial authentication without needing to resend the
authentication information (usually a username and password) with every
message. If an attacker is able to forge valid session credentials they may
be able to bypass authentication or piggy-back off some other authenticated
user's session. This attack differs from Reuse of Session IDs and Session
Sidejacking attacks in that in the latter attacks an attacker uses a
previous or existing credential without modification while, in a forging
attack, the attacker must create their own credential, although it may be
based on previously observed credentials.
Attack Prerequisites
The targeted application must use session credentials to identify
legitimate users.
Resources Required
Attackers may require tools to craft messages containing their forged
credentials.
In a Session Fixation attack, the attacker provides a credential and
coerces a user into using that credential when authenticating with the
server. If the format of credentials is anything but trivial, the
attacker would need to forge a valid-looking credential first.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
