CAPEC Details
Name Reusing Session IDs (aka Session Replay)
Likelyhood of attack Typical severity
High High
Summary This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Prerequisites The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are not well protected from session theft.
Execution Flow
Step Phase Description Techniques
1 Explore The attacker interacts with the target host and finds that session IDs are used to authenticate users.
2 Explore The attacker steals a session ID from a valid user.
3 Exploit The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.
Solutions Always invalidate a session ID after the user logout. Setup a session time out for the session IDs. Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94). Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker. Encrypt the session data associated with the session ID. Use multifactor authentication.
Related Weaknesses
CWE ID Description
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-346 Origin Validation Error
CWE-384 Session Fixation
CWE-488 Exposure of Data Element to Wrong Session
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-664 Improper Control of a Resource Through its Lifetime
CWE-732 Incorrect Permission Assignment for Critical Resource
Related CAPECS
CAPEC ID Description
CAPEC-593 This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Taxonomy: ATTACK
Entry ID Entry Name
1134.001 Access Token Manipulation:Token Impersonation/Theft
1134.002 Access Token Manipulation:Create Process with Token
1550.004 Use Alternate Authentication Material:Web Session Cookie