CAPEC Related Weakness
Reusing Session IDs (aka Session Replay)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-346 Origin Validation Error
CWE-384 Session Fixation
CWE-488 Exposure of Data Element to Wrong Session
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-664 Improper Control of a Resource Through its Lifetime
CWE-732 Incorrect Permission Assignment for Critical Resource
Session Credential Falsification through Prediction
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-330 Use of Insufficiently Random Values
CWE-331 Insufficient Entropy
CWE-346 Origin Validation Error
CWE-384 Session Fixation
CWE-488 Exposure of Data Element to Wrong Session
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-693 Protection Mechanism Failure
CWE-719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Exploiting Trust in Client
CWE-20 Improper Input Validation
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-287 Improper Authentication
CWE-290 Authentication Bypass by Spoofing
CWE-693 Protection Mechanism Failure
Creating a Rogue Certification Authority Certificate
CWE-290 Authentication Bypass by Spoofing
CWE-295 Improper Certificate Validation
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Signature Spoofing by Misrepresentation
CWE-290 Authentication Bypass by Spoofing
Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
CWE-290 Authentication Bypass by Spoofing
CWE-328 Reversible One-Way Hash
Exploitation of Trusted Identifiers
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length
CWE-290 Authentication Bypass by Spoofing
CWE-302 Authentication Bypass by Assumed-Immutable Data
CWE-346 Origin Validation Error
CWE-384 Session Fixation
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-602 Client-Side Enforcement of Server-Side Security
CWE-642 External Control of Critical State Data
CWE-664 Improper Control of a Resource Through its Lifetime
Signature Spoof
CWE-20 Improper Input Validation
CWE-290 Authentication Bypass by Spoofing
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Man in the Middle Attack
CWE-287 Improper Authentication
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-300 Channel Accessible by Non-Endpoint
CWE-593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
CWE-724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management