Detailedlikelihood: Highseverity: HighDraft

CAPEC-59Session Credential Falsification through Prediction

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking. Metadata: detailed CAPEC pattern, status draft, likelihood high, severity high. Underlying weaknesses: CWE-290, CWE-330, CWE-331, CWE-346, CWE-488 (and 6 more). Related CAPEC pattern: [object Object].

Related weaknesses· 11

CWE-290CWE-330CWE-331CWE-346CWE-488CWE-539CWE-200CWE-6CWE-285CWE-384CWE-693

Related attack patterns· 1

CAPEC-196 (ChildOf)

Exploits11

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-384100%live
WeaknessAuthentication Bypass by Spoofingcwe-290100%live
WeaknessUse of Persistent Cookies Containing Sensitive Informationcwe-539100%live
WeaknessExposure of Data Element to Wrong Sessioncwe-488100%live
WeaknessProtection Mechanism Failurecwe-693100%live
WeaknessImproper Authorizationcwe-285100%live
WeaknessJ2EE Misconfiguration: Insufficient Session-ID Lengthcwe-6100%live
WeaknessUse of Insufficiently Random Valuescwe-330100%live
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-200100%live
WeaknessInsufficient Entropycwe-331100%live
WeaknessOrigin Validation Errorcwe-346100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Session Credential Falsification through Manipulation
CAPEC
Session Credential Falsification through Forging
CAPEC
Reusing Session IDs (aka Session Replay)
CAPEC
Session Hijacking
CAPEC
Session Fixation
CAPEC
Server Side Request Forgery
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.