Home  >  CAPEC-593
CAPEC Details
Name Session Hijacking
Likelyhood of attack Typical severity
High Very High
Summary This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Prerequisites An application that leverages sessions to perform authentication.
Execution Flow
Step Phase Description Techniques
1 Explore [Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
2 Experiment [Insert Found Session Token] The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.
3 Exploit [Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
Solutions Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.
Related Weaknesses
CWE ID Description
CWE-287 Improper Authentication
Related CAPECS
CAPEC ID Description
CAPEC-21 An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
Taxonomy: ATTACK
Entry ID Entry Name
1550.001 Use Alternate Authentication Material:Application Access Token
1563 Remote Service Session Hijacking
Taxonomy: OWASP Attacks
Entry ID Entry Name
Link Session hijacking attack