Home > CAPEC List > CAPEC-59: Session Credential Falsification through Prediction (Version 2.4)  

CAPEC-59: Session Credential Falsification through Prediction

 
Session Credential Falsification through Prediction
Definition in a New Window Definition in a New Window
Attack Pattern ID: 59
Abstraction: Detailed
Status: Draft
Completeness: Complete
+ Description

Summary

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Attack Execution Flow

Explore
  1. Find Session IDs:

    The attacker interacts with the target host and finds that session IDs are used to authenticate users.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    An attacker makes many anonymous connections and records the session IDs assigned.

    env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    2

    An attacker makes authorized connections and records the session tokens or credentials issued.

    env-Web env-Peer2Peer env-CommProtocol env-ClientServer

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    Web applications use session IDs

    env-Web
    2Positive

    Network systems issue session IDs or connection IDs

    env-CommProtocol env-ClientServer env-Peer2Peer

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor logs for unusual amounts of invalid sessions.
    2Detective
    Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.
  2. Characterize IDs:

    The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    2

    Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol
    3

    Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    Patterns are detectable in session IDs
    2Failure
    Session IDs pass NIST FIPS 140 statistical tests for cryptographic randomness.
    3Success
    Session IDs are repeated.
Experiment
  1. Match issued IDs:

    The attacker brute forces different values of session ID and manages to predict a valid session ID.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

    env-Web env-ClientServer env-Peer2Peer env-CommProtocol

    Outcomes

    IDTypeOutcome Description
    1Success
    Session identifiers successfully spoofed
    2Failure
    No session IDs can be found or exploited
Exploit
  1. Use matched Session ID:

    The attacker uses the falsified session ID to access the target system.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The attacker loads the session ID into his web browser and browses to restricted data or functionality.

    env-Web
    2

    The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.

    env-CommProtocol env-Peer2Peer env-ClientServer

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources.
    2Preventative
    Terminate both sessions if an ID is used from multiple origins.
+ Attack Prerequisites
  • The target host uses session IDs to keep track of the users.

  • Session IDs are used to control access to resources.

  • The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Spoofing
  • Brute Force
  • Analysis
+ Examples-Instances

Description

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.

Related Vulnerabilities

Description

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.

Related Vulnerabilities

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

There are tools to brute force session ID. Those tools require a low level of knowledge.

Skill or Knowledge Level: Medium

Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

+ Probing Techniques

Description

The attacker can perform analysis of the randomness of the session generation algorithm.

Description

The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones.

Description

The attacker can use brute force tools to find a valid session ID.

+ Solutions and Mitigations

Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Access_Control
Authorization
Gain privileges / assume identity
+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
J2EE
.NET
Platforms
All
Languages
All
+ References
[R.59.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateComments
Eric DalciCigital, Inc2007-01-25
Modifications
ModifierOrganizationDateCommentsSource
Sean BarnumCigital, Inc2007-03-07Review and revise
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attacker_Skills_or_Knowledge_Required, Probing_TechniquesInternal
CAPEC Content TeamThe MITRE Corporation2014-04-10Updated Attack_PhasesInternal

Page Last Updated: April 10, 2014