Dark Mode
Capec-196 Detail
Session Credential Falsification through Forging
Standard Software Likelihood: Medium Typical Severity: Medium
Parents: 21
Children: 59 226
Threats: T292 T293
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-196 | capec | https://capec.mitre.org/data/definitions/196.html | |
| CWE-384 | cwe | http://cwe.mitre.org/data/definitions/384.html | |
| CWE-664 | cwe | http://cwe.mitre.org/data/definitions/664.html | |
| T1134.002 | ATTACK | https://attack.mitre.org/wiki/Technique/T1134/002 | Access Token Manipulation: Create Process with Token |
| T1134.003 | ATTACK | https://attack.mitre.org/wiki/Technique/T1134/003 | Access Token Manipulation: Make and Impersonate Token |
| T1606 | ATTACK | https://attack.mitre.org/wiki/Technique/T1606 | Forge Web Credentials |
| REF-62 | reference_from_CAPEC | https://crypto.stanford.edu/cs155old/cs155-spring08/papers/Session_Riding.pdf | Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH |
| REF-63 | reference_from_CAPEC | http://www.owasp.org/index.php/Testing_for_Session_Management | OWASP Testing Guide (v4), The Open Web Application Security Project (OWASP) |
Explore
-
Analyze and Understand Session IDs: The attacker finds that the targeted application use session credentials to identify legitimate users.
| Techniques |
|---|
| An attacker makes many anonymous connections and records the session IDs. |
| An attacker makes authorized connections and records the session tokens or credentials. |
Experiment
-
Create Session IDs.: Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.
| Techniques |
|---|
| The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies. |
Exploit
-
Abuse the Victim's Session Credentials: The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.
| Techniques |
|---|
| The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality. |
| The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim. |
- The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.
- Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.
| Medium |
|---|
| Forge the session credential and reply the request. |
| Integrity | Authorization | Access Control | Accountability | Authentication | Confidentiality | Non-Repudiation |
|---|---|---|---|---|---|---|
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Bypass Protection Mechanism | Gain Privileges | Gain Privileges | Read Data | Gain Privileges |
| Gain Privileges | ||||||
| Bypass Protection Mechanism |
- This example uses client side scripting to set session ID in the victim's browser. The JavaScript code document.cookie="sessionid=0123456789" fixates a falsified session credential into victim's browser, with the help of crafted a URL link. http://www.example.com/ A similar example uses session ID as an argument of the URL. http://www.example.com/index.php/sessionid=0123456789 Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.