Reusing Session IDs (aka Session Replay)
Attack Pattern ID: 60 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

Attack Execution Flow

  1. The attacker interacts with the target host and finds that session IDs are used to authenticate users.

  2. The attacker steals a session ID from a valid user.

  3. The attacker tries to use the stolen session ID to gain access to the system with the priviledges of the session ID's original owner.

+ Attack Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are not well protected from session theft.

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Spoofing
  • Social Engineering
  • Analysis
+ Examples-Instances

Description

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Related Vulnerabilities

CVE-1999-0428

Description

Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs.

Related Vulnerabilities

CVE-2002-0258

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Low: If an attacker can steal a valid session ID, he can then try to be authenticated with that stolen session ID.

Skill or Knowledge Level: Medium

More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing his valid session ID.

+ Probing Techniques

The attacker can listen to a conversation between the client and server and steal a valid session ID.

The attacker can try to steal session information from the user's coookies.

The attacker can try a valid session from a finished transaction and find out that the transaction associated with the session ID did not time out.

+ Solutions and Mitigations

Always invalidate a session ID after the user logout.

Setup a session time out for the session IDs.

Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate man in the middle attack.

Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.

Encrypt the session data associated with the session ID.

Use multifactor authentication.

+ Attack Motivation-Consequences
  • Privilege Escalation
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
294Authentication Bypass by Capture-replayTargeted
290Authentication Bypass by SpoofingTargeted
346Origin Validation ErrorTargeted
384Session FixationTargeted
488Data Leak Between SessionsSecondary
539Information Leak Through Persistent CookiesSecondary
200Information ExposureSecondary
285Improper Access Control (Authorization)Secondary
664Improper Control of a Resource Through its LifetimeTargeted
732Incorrect Permission Assignment for Critical ResourceTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern21Exploitation of Session Variables, Resource IDs and other Trusted Credentials 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory380WASC Threat Classification 2.0 - WASC-47 - Insufficient Session Expiration 
WASC Threat Classification 2.0333
+ Related Security Principles
  • Securing the Weakest Link

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
Frameworks
J2EE
.NET
Platforms
All
Languages
All
+ References
G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateComments
Eric DalciCigital, Inc2007-01-25
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital, Inc2007-03-07Review and revise
Richard StruseVOXEM, Inc2007-03-26Review and feedback leading to changes in Name and Related Attack Patterns
Sean BarnumCigital, Inc2007-04-13Modified pattern content according to review and feedback