Home > CAPEC List > CAPEC-59: Session Credential Falsification through Prediction (Version 3.0)  

CAPEC-59: Session Credential Falsification through Prediction

Attack Pattern ID: 59
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.196Session Credential Falsification through Forging
+ Execution Flow
Explore
  1. Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users. An attacker makes many anonymous connections and records the session IDs assigned. An attacker makes authorized connections and records the session tokens or credentials issued.

    Techniques
    An attacker makes many anonymous connections and records the session IDs assigned.
    An attacker makes authorized connections and records the session tokens or credentials issued.
  2. Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable. Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections. Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

    Techniques
    Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
    Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
    Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
Experiment
  1. Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID. The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

    Techniques
    The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.
Exploit
  1. Use matched Session ID: The attacker uses the falsified session ID to access the target system. The attacker loads the session ID into his web browser and browses to restricted data or functionality. The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.

    Techniques
    The attacker loads the session ID into his web browser and browses to restricted data or functionality.
    The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.
+ Prerequisites
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).
+ Skills Required
[Level: Low]
There are tools to brute force session ID. Those tools require a low level of knowledge.
[Level: Medium]
Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Access Control
Authorization
Gain Privileges
+ Mitigations
Use a strong source of randomness to generate a session ID.
Use adequate length session IDs
Do not use information available to the user in order to generate session ID (e.g., time).
Ideas for creating random numbers are offered by Eastlake [RFC1750]
Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.
+ Example Instances
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534
+ Memberships
This MemberOf Relationships table shows additional CAPEC Categories and Views that reference this attack pattern as a member. This information is often useful in understanding where a attack pattern fits within the context of external information sources.
NatureTypeIDName
MemberOfCategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.351WASC-18 - Credential/Session Prediction
+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018