Session Credential Falsification through Prediction |
Attack Pattern ID: 59 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Attack Execution Flow
Find Session IDs:
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 An attacker makes many anonymous connections and records the session IDs assigned.
env-Web env-Peer2Peer env-CommProtocol env-ClientServer2 An attacker makes authorized connections and records the session tokens or credentials issued.
env-Web env-Peer2Peer env-CommProtocol env-ClientServerIndicators
ID type Indicator Description Environments 1 Positive Web applications use session IDs
env-Web2 Positive Network systems issue session IDs or connection IDs
env-CommProtocol env-ClientServer env-Peer2PeerSecurity Controls
ID type Security Control Description 1 Detective Monitor logs for unusual amounts of invalid sessions.2 Detective Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.Characterize IDs:
The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
env-Web env-ClientServer env-Peer2Peer env-CommProtocol2 Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
env-Web env-ClientServer env-Peer2Peer env-CommProtocol3 Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
env-Web env-ClientServer env-Peer2Peer env-CommProtocolOutcomes
ID type Outcome Description 1 Success Patterns are detectable in session IDs2 Failure Session IDs pass NIST FIPS 140 statistical tests for cryptographic randomness.3 Success Session IDs are repeated.
Match issued IDs:
The attacker brute forces different values of session ID and manages to predict a valid session ID.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The attacker models the session ID algorithm enough to produce a compatible series os IDs, or just one match.
env-Web env-ClientServer env-Peer2Peer env-CommProtocolOutcomes
ID type Outcome Description 1 Success Session identifiers successfully spoofed2 Failure No session IDs can be found or exploited
Use matched Session ID:
The attacker uses the falsified session ID to access the target system.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The attacker loads the session ID into his web browser and browses to restricted data or functionality.
env-Web2 The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.
env-CommProtocol env-Peer2Peer env-ClientServerSecurity Controls
ID type Security Control Description 1 Detective Monitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources.2 Preventative Terminate both sessions if an ID is used from multiple origins.
The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.
The session IDs used by the target host are predictable.For example, the session IDs are generated using predictable information (e.g., time).
Description
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.
Related Vulnerabilities
CVE-2006-6969
Description
mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication.
Related Vulnerabilities
CVE-2001-1534
Skill or Knowledge Level: Low
There are tools to brute force sesion ID. Those tools require a low level of knowledge.
Skill or Knowledge Level: Medium
Predicting Session ID may require more computation work which uses advanced analysis such as statistic analysis.
The attacker can perform analysis of the randomness of the session generation algortihm.
The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones.
The attacker can use brute force tools to find a valid session ID.
Use a strong source of randomness to generate a session ID.
Use adequate length session IDs
Do not use information available to the user in order to generate session ID (e.g., time).
Ideas for creating random numbers are offered by Eastlake [RFC1750]
Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.
CWE-ID | Weakness Name | Weakness Relationship Type |
---|---|---|
290 | Authentication Bypass by Spoofing | Targeted |
330 | Use of Insufficiently Random Values | Targeted |
331 | Insufficient Entropy | Targeted |
346 | Origin Validation Error | Targeted |
488 | Data Leak Between Sessions | Secondary |
539 | Information Leak Through Persistent Cookies | Secondary |
200 | Information Exposure | Secondary |
6 | J2EE Misconfiguration: Insufficient Session-ID Length | Targeted |
285 | Improper Access Control (Authorization) | Secondary |
384 | Session Fixation | Secondary |
693 | Protection Mechanism Failure | Targeted |
719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage | Secondary |
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 196 | Session Credential Falsification through Forging | Mechanism of Attack (primary)1000 | |
ChildOf | Category | 351 | WASC Threat Classification 2.0 - WASC-18 - Credential/Session Prediction | WASC Threat Classification 2.0333 |