Detailedlikelihood: Mediumseverity: HighDraft

CAPEC-61Session Fixation

Abstraction
Detailed
Status
Draft
Likelihood
Medium
Severity
High

Description

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

Related weaknesses· 3

CWE-384CWE-664CWE-732

Related attack patterns· 1

CAPEC-593 (ChildOf)

Exploits3

TypeTargetConfidenceTier
WeaknessSession Fixationcwe-384100%live
WeaknessIncorrect Permission Assignment for Critical Resourcecwe-732100%live
WeaknessImproper Control of a Resource Through its Lifetimecwe-664100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Session Credential Falsification through Manipulation
CAPEC
Session Credential Falsification through Forging
CAPEC
Session Hijacking
CAPEC
Reusing Session IDs (aka Session Replay)
CAPEC
Session Credential Falsification through Prediction
CAPEC
Session Sidejacking
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.