CAPEC-102: Session Sidejacking

Session Sidejacking

状态:Draft

Typical_Severify: High

攻击可能性:High

描述

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

相关攻击模式

ChildOf: CAPEC-593 |Session Hijacking

Execution Flow Attack Setp

Setp 1 Explore

[Detect Unprotected Session Token Transfer] The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

Setp 2 Experiment

[Capture session token] The attacker uses sniffing tools to capture a session token from traffic.

Setp 3 Experiment

[Insert captured session token] The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Setp 4 Exploit

[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

前置条件

An attacker and the victim are both using the same WiFi network.

The victim has an active session with a target system.

The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)

The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

所需技能

Level Low

Easy to use tools exist to automate this attack.

所需资源

A packet sniffing tool, such as wireshark, can be used to capture session information.

后果

Scope Impact Likelihood
Confidentiality Access Control Authorization Gain Privileges
I n t e g r i t y Modify Data
C o n f i d e n t i a l i t y Read Data
A v a i l a b i l i t y Unreliable Execution

缓解措施

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.

Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.

实例

The attacker and the victim are using the same WiFi public hotspot. When the victim connects to the hotspot, he has a hosted e-mail account open. This e-mail account uses AJAX on the client side which periodically asynchronously connects to the server side and transfers, amongst other things, the user's session token to the server. The communication is supposed to happen over HTTPS. However, the configuration in the public hotspot initially disallows the HTTPS connection (or any other connection) between the victim and the hosted e-mail servers because the victim first needs to register with the hotspot. The victim does so, but his e-mail client already defaulted to using a connection without HTTPS, since it was denied access the first time. Victim's session token is now flowing unencrypted between the victim's browser and the hosted e-mail servers. The attacker leverages this opportunity to capture the session token and gain access to the victim's hosted e-mail account.

相关CWE

294 | 使用捕获-重放进行的认证绕过

522 | 不充分的凭证保护机制

523 | 凭证传输未经安全保护

319 | 敏感数据的明文传输

614 | HTTPS会话中未设置'Secure'属性的敏感Cookie

内容历史记录

提交

2014-06-23 | CAPEC Content Team | The MITRE Corporation

修改

2017-05-01 | CAPEC Content Team | The MITRE Corporation

Updated Related_Attack_Patterns

2017-08-04 | CAPEC Content Team | The MITRE Corporation

Updated Resources_Required