ByteOS Network

CAPEC-102:Session Sidejacking

Attack Pattern ID:102

Version:v3.9

Attack Pattern Name:Session Sidejacking

Abstraction:Detailed

Status:Draft

Likelihood of Attack:High

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	593	Session Hijacking

Nature: ChildOf

Type: Standard

ID: 593

Name: Session Hijacking

▼Execution Flow

Explore

Detect Unprotected Session Token Transfer

The attacker sniffs on the wireless network to detect unencrypted traffic that contains session tokens.

Technique
The attacker uses a network sniffer tool like ferret or hamster to monitor the wireless traffic at a WiFi hotspot while examining it for evidence of transmittal of session tokens in unencrypted or recognizably encrypted form. An attacker applies their knowledge of the manner by which session tokens are generated and transmitted by various target systems to identify the session tokens.

Experiment

Capture session token

The attacker uses sniffing tools to capture a session token from traffic.

Insert captured session token

The attacker attempts to insert a captured session token into communication with the targeted application to confirm viability for exploitation.

Exploit

Session Token Exploitation

The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.

▼Prerequisites

An attacker and the victim are both using the same WiFi network.

The victim has an active session with a target system.

The victim is not using a secure channel to communicate with the target system (e.g. SSL, VPN, etc.)

The victim initiated communication with a target system that requires transfer of the session token or the target application uses AJAX and thereby periodically "rings home" asynchronously using the session token

▼Skills Required

Low

Easy to use tools exist to automate this attack.

▼Resources Required

A packet sniffing tool, such as wireshark, can be used to capture session information.

▼Consequences

Scope	Likelihood	Impact	Note
ConfidentialityAccess ControlAuthorization	N/A	Gain Privileges	N/A
Integrity	N/A	Modify Data	N/A
Confidentiality	N/A	Read Data	N/A
Availability	N/A	Unreliable Execution	N/A

Scope: Confidentiality, Access Control, Authorization

Likelihood: N/A

Impact: Gain Privileges

Note: N/A

Scope: Integrity

Likelihood: N/A

Impact: Modify Data

Note: N/A

Scope: Confidentiality

Likelihood: N/A

Impact: Read Data

Note: N/A

Scope: Availability

Likelihood: N/A

Impact: Unreliable Execution

Note: N/A

▼Mitigations

Make sure that HTTPS is used to communicate with the target system. Alternatively, use VPN if possible. It is important to ensure that all communication between the client and the server happens via an encrypted secure channel.

Modify the session token with each transmission and protect it with cryptography. Add the idea of request sequencing that gives the server an ability to detect replay attacks.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-294	Authentication Bypass by Capture-replay
CWE-319	Cleartext Transmission of Sensitive Information
CWE-522	Insufficiently Protected Credentials
CWE-523	Unprotected Transport of Credentials
CWE-614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

ID: CWE-294

Name: Authentication Bypass by Capture-replay

ID: CWE-319

Name: Cleartext Transmission of Sensitive Information

ID: CWE-522

Name: Insufficiently Protected Credentials

ID: CWE-523

Name: Unprotected Transport of Credentials

ID: CWE-614

Name: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute