Home > CAPEC List > CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies (Version 3.9)

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

Attack Pattern ID: 31
Abstraction: Detailed
View customized information:
Description
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
Likelihood Of Attack

High

Typical Severity

High

Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.39Manipulating Opaque Client-based Data Tokens
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.157Sniffing Attacks
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
Execution Flow
Explore

  1. Obtain copy of cookie: The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

    Techniques
    Sniff cookie using a network sniffer such as Wireshark
    Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.
    Steal cookie via a cross-site scripting attack.
    Guess cookie contents if it contains predictable information.
Experiment

  1. Obtain sensitive information from cookie: The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

    Techniques
    If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
    Analyze the cookie's contents to determine whether it contains any sensitive information.

  2. Modify cookie to subvert security controls.: The adversary may be able to modify or replace cookies to bypass security controls in the application.

    Techniques
    Modify logical parts of cookie and send it back to server to observe the effects.
    Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
    Modify cookie bitwise and send it back to server to observe the effects.
    Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.
Prerequisites
Target server software must be a HTTP daemon that relies on cookies.
The cookies must contain sensitive information.
The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply.
Skills Required
[Level: Low]
To overwrite session cookie data, and submit targeted attacks via HTTP
[Level: High]
Exploiting a remote buffer overflow generated by attack
Resources Required
A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.
Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Integrity
Modify Data
Confidentiality
Access Control
Authorization
Gain Privileges
Mitigations
Design: Use input validation for cookies
Design: Generate and validate MAC for cookies
Implementation: Use SSL/TLS to protect cookie in transit
Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.
Example Instances
There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353
Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1539 Steal Web Session Cookie
References
[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.
Content History
Submissions
Submission DateSubmitterOrganization
2014年06月23日
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017年01月09日
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017年08月04日
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_Required
2019年09月30日
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020年07月30日
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Related_Attack_Patterns
2020年12月17日
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Related_Attack_Patterns
2021年06月24日
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Related_Weaknesses
2022年09月29日
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018

Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

AltStyle によって変換されたページ (->オリジナル) /