| Name |
Session Credential Falsification through Prediction |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking. |
| Prerequisites |
The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time). |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users. |
- An attacker makes many anonymous connections and records the session IDs assigned.
- An attacker makes authorized connections and records the session tokens or credentials issued.
|
| 2 |
Explore |
[Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable. |
- Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
- Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
- Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
|
| 3 |
Experiment |
[Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID. |
- The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.
|
| 4 |
Exploit |
[Use matched Session ID] The attacker uses the falsified session ID to access the target system. |
- The attacker loads the session ID into their web browser and browses to restricted data or functionality.
- The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.
|
|
| Solutions | Use a strong source of randomness to generate a session ID. Use adequate length session IDs Do not use information available to the user in order to generate session ID (e.g., time). Ideas for creating random numbers are offered by Eastlake [RFC1750] Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-200 |
Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-285 |
Improper Authorization |
| CWE-290 |
Authentication Bypass by Spoofing |
| CWE-330 |
Use of Insufficiently Random Values |
| CWE-331 |
Insufficient Entropy |
| CWE-346 |
Origin Validation Error |
| CWE-384 |
Session Fixation |
| CWE-488 |
Exposure of Data Element to Wrong Session |
| CWE-539 |
Use of Persistent Cookies Containing Sensitive Information |
| CWE-693 |
Protection Mechanism Failure |
| CWE-719 |
OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-196 |
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials. |
|
| Taxonomy: WASC |
|
Entry ID
|
Entry Name
|
| 18 |
Credential/Session Prediction |
|
| Taxonomy: OWASP Attacks |
|
Entry ID
|
Entry Name
|
| Link |
Session Prediction |
|