Dark Mode
Capec-60 Detail
Reusing Session IDs (aka Session Replay)
Detailed Software Likelihood: High Typical Severity: High
Parents: 593
Threats: T292 T293 T377
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Not present
Explore
-
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
-
The attacker steals a session ID from a valid user.
Exploit
-
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
- The target host uses session IDs to keep track of the users.
- Session IDs are used to control access to resources.
- The session IDs used by the target host are not well protected from session theft.
Not present
| Low | Medium |
|---|---|
| If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID. | |
| More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID. |
| Authorization | Access Control | Confidentiality |
|---|---|---|
| Gain Privileges | Gain Privileges | Gain Privileges |
- OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428
- Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258