CAPEC-61: Session Fixation

ID CAPEC-61

Typical Severity High

Likelihood Of Attack Medium

Status Draft

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

https://capec.mitre.org/data/definitions/61.html

Weaknesses

# ID	Name	Type
CWE-384	Session Fixation	weakness
CWE-664	Improper Control of a Resource Through its Lifetime	weakness
CWE-732	Incorrect Permission Assignment for Critical Resource	weakness

Taxonomiy Mapping

Type	# ID	Name
WASC	37	Session Fixation
OWASP Attacks		Session fixation