CAPEC - CAPEC-59: Session Credential Falsification through Prediction (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-59: Session Credential Falsification through Prediction (Version 3.9)

CAPEC-59: Session Credential Falsification through Prediction

Attack Pattern ID: 59

Abstraction: Detailed

View customized information:

Description

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	196	Session Credential Falsification through Forging

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find Session IDs: The attacker interacts with the target host and finds that session IDs are used to authenticate users.
Techniques
An attacker makes many anonymous connections and records the session IDs assigned.
An attacker makes authorized connections and records the session tokens or credentials issued.

Techniques
An attacker makes many anonymous connections and records the session IDs assigned.
An attacker makes authorized connections and records the session tokens or credentials issued.

Characterize IDs: The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.

Techniques
Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Experiment

Match issued IDs: The attacker brute forces different values of session ID and manages to predict a valid session ID.
Techniques
The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Techniques
The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Exploit

Use matched Session ID: The attacker uses the falsified session ID to access the target system.

Techniques
The attacker loads the session ID into their web browser and browses to restricted data or functionality.
The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.

Prerequisites

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

Skills Required

[Level: Low]

There are tools to brute force session ID. Those tools require a low level of knowledge.

[Level: Medium]

Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

Consequences

Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Confidentiality Access Control Authorization	Gain Privileges

Mitigations

Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.

Example Instances

Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks. See also: CVE-2006-6969

mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. See also: CVE-2001-1534

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
290	Authentication Bypass by Spoofing
330	Use of Insufficiently Random Values
331	Insufficient Entropy
346	Origin Validation Error
488	Exposure of Data Element to Wrong Session
539	Use of Persistent Cookies Containing Sensitive Information
200	Exposure of Sensitive Information to an Unauthorized Actor
6	J2EE Misconfiguration: Insufficient Session-ID Length
285	Improper Authorization
384	Session Fixation
693	Protection Mechanism Failure

Taxonomy Mappings

Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping (see parent)

Relevant to the WASC taxonomy mapping

Entry ID	Entry Name
18	Credential/Session Prediction

Relevant to the OWASP taxonomy mapping

Entry Name
Session Prediction

References

[REF-1] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. 2004-02.

Content History

Submissions
Submission Date	Submitter	Organization
2014年06月23日 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014年06月23日 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017年08月04日 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017年08月04日 (Version 2.11)	Updated Related_Attack_Patterns
2020年07月30日 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020年07月30日 (Version 3.3)	Updated Execution_Flow
2020年12月17日 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020年12月17日 (Version 3.4)	Updated Taxonomy_Mappings
2021年06月24日 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021年06月24日 (Version 3.5)	Updated Related_Weaknesses

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-59: Session Credential Falsification through Prediction