Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs.
Skill or Knowledge Level: Low
If an attacker can steal a valid session ID, he can then try to be authenticated with that stolen session ID.
Skill or Knowledge Level: Medium
More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing his valid session ID.
The attacker can listen to a conversation between the client and server and steal a valid session ID.
The attacker can try to steal session information from the user's cookies.
The attacker can try a valid session from a finished transaction and find out that the transaction associated with the session ID did not time out.
Always invalidate a session ID after the user logout.
Setup a session time out for the session IDs.
Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate man in the middle attack.
Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.
Encrypt the session data associated with the session ID.
Use multifactor authentication.
[R.60.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
More information is available — Please select a different filter.