CAPEC-59

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
Session Credential Falsification through Prediction

Description

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Mitigations

Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Skills Required

[Low] There are tools to brute force session ID. Those tools require a low level of knowledge.

[Medium] Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.