New to CAPEC? Start Here
Home > CAPEC List > CAPEC-60: Reusing Session IDs (aka Session Replay) (Version 3.9)  

CAPEC-60: Reusing Session IDs (aka Session Replay)

Attack Pattern ID: 60
Abstraction: Detailed
View customized information:
+ Description
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.593Session Hijacking
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. The attacker interacts with the target host and finds that session IDs are used to authenticate users.
  2. The attacker steals a session ID from a valid user.
  1. The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
+ Prerequisites
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are not well protected from session theft.
+ Skills Required
[Level: Low]
If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.
[Level: Medium]
More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Access Control
Gain Privileges
+ Mitigations
Always invalidate a session ID after the user logout.
Setup a session time out for the session IDs.
Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).
Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.
Encrypt the session data associated with the session ID.
Use multifactor authentication.
+ Example Instances
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428
Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1134.001Access Token Manipulation:Token Impersonation/Theft
1550.004Use Alternate Authentication Material:Web Session Cookie
+ References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.10)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Skills_Required, Taxonomy_Mappings
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, Taxonomy_Mappings
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018