CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Session Credential Falsification through Prediction
Attack Pattern ID
Pattern Abstraction: Detailed

59

Typical Severity

High

Description

Summary

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Attack Execution Flow

Explore
  1. Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.

    Attack Step Techniques
    DescriptionEnvironments
    An attacker makes many anonymous connections and records the session IDs assigned.env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    An attacker makes authorized connections and records the session tokens or credentials issued.env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    Indicators of Susceptibility
    IDTypeDescriptionEnvironments
    c59s1i1PositiveWeb applications use session IDsenv-Web
    c59s1i2PositiveNetwork systems issue session IDs or connection IDsenv-CommProtocol env-ClientServer env-Peer2Peer
    Security Controls
    IDTypeDescription
    c59s1s1DetectiveMonitor logs for unusual amounts of invalid sessions.
    c59s1s2DetectiveMonitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.
  2. Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

    Attack Step Techniques
    DescriptionEnvironments
    Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDsenv-Web env-ClientServer env-Peer2Peer env-CommProtocol
    Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    Outcomes
    IDTypeDescription
    c59s2o1SuccessPatterns are detectable in session IDs
    c59s2o2FailureSession IDs pass NIST FIPS 140 statistical tests for cryptographic randomness.
    c59s2o3SuccessSession IDs are repeated.
Experiment
  1. Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.

    Attack Step Technique
    DescriptionEnvironments
    The attacker models the session ID algorithm enough to produce a compatible series os IDs, or just one match.env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    Outcomes
    IDTypeDescription
    c59s3o2SuccessSession identifiers successfully spoofed
    c59s3o3FailureNo session IDs can be found or exploited
Exploit
  1. Use matched Session ID: The attacker uses the falsified session ID to access the target system.

    Attack Step Techniques
    DescriptionEnvironments
    The attacker loads the session ID into his web browser and browses to restricted data or functionality.env-Web
    The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.env-CommProtocol env-Peer2Peer env-ClientServer
    Security Controls
    IDTypeDescription
    c59s4s1DetectiveMonitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources.
    c59s4s2PreventativeTerminate both sessions if an ID is used from multiple origins.
Attack Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are predictable.For example, the session IDs are generated using predictable information (e.g., time).

Typical Likelihood of Exploit

High

Methods of Attack
  • Spoofing
  • Brute Force
  • Analysis
Examples-Instances

Description

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Related Vulnerability

CVE-2006-6969

Description

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.

Related Vulnerability

CVE-2001-1534

Attacker Skill or Knowledge Required

Low: There are tools to brute force sesion ID. Those tools require a low level of knowledge. Medium/High: Predicting Session ID may require more computation work which uses advanced analysis such as statistic analysis.

Probing Techniques

The attacker can perform analysis of the randomness of the session generation algortihm.

The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones.

The attacker can use brute force tools to find a valid session ID.

Solutions and Mitigations

Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Attack Motivation-Consequences
  • Privilege Escalation
Context Description

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
290Authentication Bypass by SpoofingTargeted
330Use of Insufficiently Random ValuesTargeted
331Insufficient EntropyTargeted
346Origin Validation ErrorTargeted
488Data Leak Between SessionsSecondary
539Information Leak Through Persistent CookiesSecondary
200Information Leak (Information Disclosure)Secondary
6J2EE Misconfiguration: Insufficient Session-ID LengthTargeted
285Missing or Inconsistent Access ControlSecondary
384Session FixationSecondary
Related Security Principles
  • Securing the Weakest Link
Purpose

Penetration

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighLow
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
Client-ServerJ2EEAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

Source
Submission(s)
SubmitterOrganizationDateComment
Eric DalciCigital, Inc2007-01-25
Modification(s)
ModifierOrganizationDateComment
Sean BarnumCigital, Inc2007-03-07Review and revise
 
Page Last Updated: April 18, 2008