Home > CAPEC List > CAPEC-226: Session Credential Falsification through Manipulation (Version 2.10)  

CAPEC-226: Session Credential Falsification through Manipulation

 
Session Credential Falsification through Manipulation
Definition in a New Window Definition in a New Window
Attack Pattern ID: 226
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service.

+ Attack Prerequisites
  • The targeted application must use session credentials to identify legitimate users.

+ Typical Severity

Medium

+ Resources Required

An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017