Home > CAPEC List > CAPEC-593: Session Hijacking (Version 2.11)  

CAPEC-593: Session Hijacking

 
Session Hijacking
Definition in a New Window Definition in a New Window
Attack Pattern ID: 593
Abstraction: Standard
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The advarsary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

+ Attack Prerequisites
  • An application that leverages sessions to perform authentication.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

If an application is leveraging improper authentiction, then there is a high likelihood that it will be found and exploited. The prevelance of automated analysis toold have made identifying these types of weaknesses achievable by even the most basic adversary. Once identified, this can often be exploited with minimal trial and error.

+ Examples-Instances

Description

aaa

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.

+ Resources Required

The adversary must have the ability to communicate with the application over the network.

+ Solutions and Mitigations

Properly encrypt and sign identity tokens in transit, and uses industry standarad session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Gain privileges / assume identity
A successful attack can enable an adversary to gain unauthorized access to an application.
+ Technical Context
Architectural Paradigms
Client-Server
Web
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2017-04-15Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017