Name |
Session Credential Falsification through Manipulation |
|
Likelyhood of attack |
Typical severity |
High |
Medium |
|
Summary |
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server. For example, a credential in the form of a web cookie might have a field that indicates the access rights of a user. By manually tweaking this cookie, a user might be able to increase their access rights to the server. Alternately an attacker may be able to manipulate an existing credential to appear as a different user. This attack differs from falsification through prediction in that the user bases their modified credentials off existing credentials instead of using patterns detected in prior credentials to create a new credential that is accepted because it fits the pattern. As a result, an attacker may be able to impersonate other users or elevate their permissions to a targeted service. |
Prerequisites |
The targeted application must use session credentials to identify legitimate users. |
Solutions | |
Related Weaknesses |
CWE ID
|
Description
|
CWE-472 |
External Control of Assumed-Immutable Web Parameter |
CWE-565 |
Reliance on Cookies without Validation and Integrity Checking |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-196 |
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials. |
|