Session Credential Falsification through Forging
Attack Pattern ID: 196 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

An attacker creates a session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

+ Attack Prerequisites

The targeted application must use session credentials to identify legitimate users.

+ Resources Required

Attackers may require tools to craft messages containing their forged credentials.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
384Session FixationTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern21Exploitation of Session Variables, Resource IDs and other Trusted Credentials 
Mechanism of Attack (primary)1000
CanPrecedeAttack PatternAttack Pattern61Session Fixation

In a Session Fixation attack, the attacker provides a credential and coerces a user into using that credential when authenticating with the server. If the format of credentials is anything but trivial, the attacker would need to forge a valid-looking credential first.

Mechanism of Attack1000
ParentOfAttack PatternAttack Pattern59Session Credential Falsification through Prediction 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern226Session Credential Falsification through Manipulation 
Mechanism of Attack (primary)1000
Back to top