CAPEC-60: Reusing Session IDs (aka Session Replay)
ID
CAPEC-60
Typical Severity
High
Likelihood Of Attack
High
Status
Draft
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | weakness |
| CWE-285 | Improper Authorization | weakness |
| CWE-290 | Authentication Bypass by Spoofing | weakness |
| CWE-294 | Authentication Bypass by Capture-replay | weakness |
| CWE-346 | Origin Validation Error | weakness |
| CWE-384 | Session Fixation | weakness |
| CWE-488 | Exposure of Data Element to Wrong Session | weakness |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information | weakness |
| CWE-664 | Improper Control of a Resource Through its Lifetime | weakness |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | weakness |
Taxonomiy Mapping
| Type | # ID | Name |
|---|---|---|
| ATTACK | 1134.001 | Access Token Manipulation:Token Impersonation/Theft |
| ATTACK | 1550.004 | Use Alternate Authentication Material:Web Session Cookie |