This attack targets the reuse of valid session ID to spoof the target
system in order to gain privileges. The attacker tries to reuse a stolen
session ID used previously during a transaction to perform spoofing and
session hijacking. Another name for this type of attack is Session
Replay.
Attack Execution Flow
The attacker interacts with the target host and
finds that session IDs are used to authenticate
users.
The attacker steals a session ID from a valid
user.
The attacker tries to use the stolen session ID to
gain access to the system with the priviledges of
the session ID's original owner.
Attack Prerequisites
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are not well protected from
session theft.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Spoofing
Social Engineering
Analysis
Examples-Instances
Description
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and
bypass access controls.
Related Vulnerabilities
CVE-1999-0428
Description
Merak Mail IceWarp Web Mail uses a static identifier as a user session
ID that does not change across sessions, which could allow remote
attackers with access to the ID to gain privileges as that user, e.g. by
extracting the ID from the user's answer or forward URLs.
Related Vulnerabilities
CVE-2002-0258
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Low: If an attacker can steal a valid session ID, he can then try to
be authenticated with that stolen session ID.
Skill or Knowledge Level: Medium
More sophisticated attack can be used to hijack a valid session from a
user and spoof a legitimate user by reusing his valid session ID.
Probing Techniques
The attacker can listen to a conversation between the client and server
and steal a valid session ID.
The attacker can try to steal session information from the user's
coookies.
The attacker can try a valid session from a finished transaction and find
out that the transaction associated with the session ID did not time
out.
Solutions and Mitigations
Always invalidate a session ID after the user logout.
Setup a session time out for the session IDs.
Protect the communication between the client and server. For instance it
is best practice to use SSL to mitigate man in the middle attack.
Do not code send session ID with GET method, otherwise the session ID will
be copied to the URL. In general avoid writing session IDs in the URLs. URLs
can get logged in log files, which are vulnerable to an attacker.
Encrypt the session data associated with the session ID.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
