CAPEC-59 - Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 3
  • Spoofing
  • Brute Force
  • Analysis
  • Purposes 1
  • Penetration
  • Sec Principles 1
  • Securing the Weakest Link
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: There are tools to brute force session ID. Those tools require a low level of knowledge.

Medium level: Predicting Session ID may require more computation work which uses advanced analysis such as statistical analysis.

The target host uses session IDs to keep track of the users.

Session IDs are used to control access to resources.

The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).

The attacker can perform analysis of the randomness of the session generation algorithm.

The attacker may need to steal a few valid session IDs using a different type of attack. And then use those session ID to predict the following ones.

The attacker can use brute force tools to find a valid session ID.

Step 1 - Find Session IDs

The attacker interacts with the target host and finds that session IDs are used to authenticate users..

Tecnique ID: 1 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

An attacker makes many anonymous connections and records the session IDs assigned.

Tecnique ID: 2 - Environment(s) env-Web env-Peer2Peer env-CommProtocol env-ClientServer

An attacker makes authorized connections and records the session tokens or credentials issued.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

Web applications use session IDs

Indicator ID: 2 - Environment(s) env-CommProtocol env-ClientServer env-Peer2Peer

Type: Positive

Network systems issue session IDs or connection IDs


Security Control ID: 1

Type: Detective

Monitor logs for unusual amounts of invalid sessions.

Security Control ID: 2

Type: Detective

Monitor logs for unusual amounts of invalid connections or invalid requests from unauthorized hosts.


Step 2 - Characterize IDs

The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.

Tecnique ID: 2 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs

Tecnique ID: 3 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.

Outcome ID: 1

Type: Success

Patterns are detectable in session IDs

Outcome ID: 2

Type: Failure

Session IDs pass NIST FIPS 140 statistical tests for cryptographic randomness.

Outcome ID: 3

Type: Success

Session IDs are repeated.



Step 1 - Match issued IDs

The attacker brute forces different values of session ID and manages to predict a valid session ID..

Tecnique ID: 1 - Environment(s) env-Web env-ClientServer env-Peer2Peer env-CommProtocol

The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.

Outcome ID: 1

Type: Success

Session identifiers successfully spoofed

Outcome ID: 2

Type: Failure

No session IDs can be found or exploited



Step 1 - Use matched Session ID

The attacker uses the falsified session ID to access the target system..

Tecnique ID: 1 - Environment(s) env-Web

The attacker loads the session ID into his web browser and browses to restricted data or functionality.

Tecnique ID: 2 - Environment(s) env-CommProtocol env-Peer2Peer env-ClientServer

The attacker loads the session ID into his network communications and impersonates a legitimate user to gain access to data or functionality.

Security Control ID: 1

Type: Detective

Monitor the correlation between session IDs and other station designations (MAC address, IP address, VLAN, etc.). Alert on session ID reuse from multiple sources.

Security Control ID: 2

Type: Preventative

Terminate both sessions if an ID is used from multiple origins.



Use a strong source of randomness to generate a session ID.

Use adequate length session IDs

Do not use information available to the user in order to generate session ID (e.g., time).

Ideas for creating random numbers are offered by Eastlake [RFC1750]

Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.