CAPEC

Common Attack Pattern Enumeration and Classification
Common Attack Pattern Enumeration and Classification

A Community Knowledge Resource for Building Secure Software

Home > CAPEC List > Individual CAPEC Dictionary Definition (Release 1.1)   View the CAPEC List

Individual CAPEC Dictionary Definition (Release 1.1)
Individual CAPEC Dictionary Definition (Release 1.1)

Session Fixation
Attack Pattern ID
Pattern Abstraction: Standard

61

Typical Severity

High

Description

Summary

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Attack Execution Flow

Explore

  1. Setup the Attack: Setup a session: The attacker has to setup a trap session that provides a valid session identifier, or select an arbitrary identifier, depending on the mechanism employed by the application. A trap session is a dummy session established with the application by the attacker and is used solely for the purpose of obtaining valid session identifiers. The attacker may also be required to periodically refresh the trap session in order to obtain valid session identifiers.

    Attack Step Techniques
    DescriptionEnvironments
    The attacker chooses a predefined identifier that he knows.env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    The attacker creates a trap session for the victim.env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    Indicators of Susceptibility
    IDTypeDescriptionEnvironments
    c61s1i1PositiveThe application accepts predefined, or user-provided session IDsenv-Web env-Peer2Peer env-CommProtocol env-ClientServer
    c61s1i2NegativeThe application ignores predefined, or user-provided session IDs and provides new session IDs.env-Web env-Peer2Peer env-CommProtocol env-ClientServer
    Outcome
    IDTypeDescription
    c61s1o1SuccessA trap session or a predefined session ID is established.
    Security Controls
    IDTypeDescription
    c61s1s1DetectiveDetect and alert on users who provide unknown session IDs in their connection establishment. Since this also fits the scenario where a user's session has expired, the heuristic must be a bit smarter, perhaps looking for an unusually high number of such occurrences in a short time frame.
    c61s1s2DetectiveDetect and alert on multiple origins connecting with the same predefined session ID.
Experiment

  1. Attract a Victim: Fixate the session: The attacker now needs to transfer the session identifier from the trap session to the victim by introducing the session identifier into the victim's browser. This is known as fixating the session. The session identifier can be introduced into the victim's browser by leveraging cross site scripting vulnerability, using META tags or setting HTTP response headers in a variety of ways.

    Attack Step Techniques
    DescriptionEnvironments
    Attackers can put links on web sites (such as forums, blogs, or comment forms).env-Web
    Attackers can establish rogue proxy servers for network protocols that give out the session ID and then redirect the connection to the legitimate service.env-Peer2Peer env-ClientServer env-CommProtocol
    Attackers can email attack URLs to potential victims through spam and phishing techniques.env-Web
    Outcome
    IDTypeDescription
    c61s2o1SuccessA victim makes a connection according to the attacker's design.
    Security Control
    IDTypeDescription
    c61s2s1DetectiveRecord referrers from web clients that connect with predefined session IDs. Alert when referrers do not match known, acceptable sites.
Exploit

  1. Abuse the Victim's Session: Takeover the fixated session: Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the fixated session identifier.

    Attack Step Techniques
    DescriptionEnvironments
    The attacker loads the predefined session ID into his browser and browses to protected data or functionality.env-Web
    The attacker loads the predefined session ID into his software and utilizes functionality with the rights of the victim.env-CommProtocol env-ClientServer env-Peer2Peer
    Outcome
    IDTypeDescription
    c61s3o1SuccessThe attacker gains access to data or functionality with the rights of the victim.
    Security Controls
    IDTypeDescription
    c61s3s1DetectiveDetect and alert on multiple simultaneous uses of the same session ID from different origins.
    c61s3s2CorrectiveDisconnect all simultaneous users of the same session ID when they arrive from different origins.
Attack Prerequisites

Session identifiers that remain unchanged when the privilege levels change.

Permissive session management mechanism that accepts random user-generated session identifiers

Predicatable session identifiers

Typical Likelihood of Exploit

Medium

Methods of Attack
  • Time and State
  • Injection
Examples-Instances

Description

Consider a banking application that issues a session identifier in the URL to a user before login, and uses the same identifier to identify the customer following successful authentication. An attacker can easily leverage session fixation to access a victim's account by having the victim click on a forged link that contains a valid session identifier from a trapped session setup by the attacker. Once the victim is authenticated, the attacker can take over the session and continue with the same levels of privilege as the victim.

Description

An attacker can hijack user sessions, bypass authentication controls and possibly gain administrative privilege by fixating the session of a user authenticating to the Management Console on certain versions of Macromedia JRun 4.0. This can be achieved by setting the session identifier in the user's browser and having the user authenticate to the Management Console. Session fixation is possible since the application server does not regenerate session identifiers when there is a change in the privilege levels.

Related Vulnerability

CVE-2004-2182

Attacker Skill or Knowledge Required

Low: Only basic skills are required to determine and fixate session identifiers in a user's browser. Subsequent attacks may require greater skill levels depending on the attacker's motives.

Resources Required

None

Probing Techniques

Determining whether the target application server accepts preset session identifiers is relatively easy. The attacker may try setting session identifiers in the URL or hidden form fields or in cookies, depending upon application design. Having access to an account or by utilizing a dummy account, the attacker can determine whether the preset session identifiers are accepted or not.

With code or design in hand, the attacker can readily verify whether preset session identifiers are accepted and whether identifiers are regenerated, and possible destroyed, when privilege levels change.

Indicators-Warnings of Attack

There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning.

A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect.

Solutions and Mitigations

Use a strict session management mechanism that only accepts locally generated session identifiers: This prevents attackers from fixating session identifiers of their own choice.

Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.

Use session identifiers that are difficult to guess or brute-force: One way for the attackers to obtain valid session identifiers is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.

Attack Motivation-Consequences
  • Privilege Escalation
Context Description

Session fixation takes place primarily due to the application trusting user-supplied session identifiers and using the same identifiers across multiple levels of privilege. There are two types of session management mechanisms:
1. Permissive: The application accepts any user-provided session identifier. This allows an attacker to easily fixate an identifier since the application trusts all identifiers provided to it.
2. Strict: The application trusts only those session identifiers that were generated locally.Although this is a far stronger mechanism, it does not make applications immune to session fixation. With a strict mechanism, the attacker needs to setup a trap session to obtain a valid identifier, trick the victim into using the identifier and leverage session fixation. Also, the attacker may now be required to periodically refresh the the trap session in order to maintain a valid session identifier.

Session identifiers can be fixated:
1. In the URL: The attacker needs to have the victim click on a hyperlink such as http://targetserver.com/login.jsp?jsessionid=176k36kk92adnn0lajeq91
2. In hidden form fields: The attacker needs to trick the victim into clicking on a look-alike form that contains the fixated session identifier.
3. In the cookie: This is relatively the most difficult location to fixate an identifier. The attacker has to resort to another mechanism such as Cross-Site Scripting to introduce a cookie with a fixated session identifier. This can be achieved by either using a client-side script to introduce the cookie (document.cookie="sessionid=abc1234") or injecting cookies using the META tag (<meta http-equiv=Set-Cookie content="sessionid=abc1234">).

Injection Vector

GET or POST data, Hidden form fields and session cookies

Payload

Preset session identifier

Activation Zone

Target application's session management mechanism

Payload Activation Impact

The payload activation impact is that a session identifier of the attacker's choice is considered valid and trust decisions by the application will be based on such a fixated identifier.

Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
384Session FixationTargeted
361Time and StateSecondary
Related Attack Patterns
IDNameRelationship TypeRelationship Description
21Exploitation of Session Variables, Resource IDs and other Trusted CredentialsMore Detailed
Relevant Security Requirements

Regenerate session identifiers upon each new request. This ensures that fixated session identifiers are rendered obsolete.

Regenerate a session identifier everytime a user enters an authenticated session and destroy the identifier when the user logs out of an authenticated session.

Set appropriate expiry times on cookies that contain session identifiers. This helps limit the window of opportunity for an attacker to use the identifier.

Do not use session identifiers as part of URLs or hidden form fields. It becomes easy for an attacker to trick a user into a fixated session when session identifiers are easily accessible.

Authenticate every transaction by requesting credentials. This ensures that only a legitimate user of the application can proceed with the transaction. If an attacker seeks to perform any such authenticated transaction, valid credentials will be required even though session fixation may have been successful earlier.

Related Security Principles
  • Complete Mediation
  • Reluctance to Trust
  • Defense in Depth
Related Guidelines
  • Never Use Unvalidated Input as Part of a Directive to any Internal Component
Purpose

Penetration

CIA Impact
Confidentiality ImpactIntegrity ImpactAvailability Impact
HighHighLow
Technical Context
Architectural ParadigmFrameworkPlatformLanguage
Client-ServerJ2EEAllAll
References

G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.

CWE - Session Fixation

CWE - Time and State

Source
Submission(s)
SubmitterOrganizationDateComment
Chiradeep B Chhaya2007-01-29Second Draft
Modification(s)
ModifierOrganizationDateComment
Malik HamroCigital, Inc2007-02-27Reformat to new schema and review
Sean BarnumCigital, Inc2007-03-05Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Description and Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback
Back to top
 

CAPEC is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Vision and Technical Leadership provided by Cigital, Inc.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation.

Contact capec@mitre.org for more information.
Page Last Updated: April 18, 2008
Privacy policy
Terms of use
Contact us