CWE-384: Session Fixation
ID
CWE-384
Abstraction
Compound
Structure
Composite
Status
Incomplete
Number of CVEs
296
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Such a scenario is commonly observed when:
- A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user.
- An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session.
- The application or container uses predictable session identifiers.
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user's account through the active session.
Modes of Introduction
| Phase | Note |
|---|---|
| Architecture and Design | |
| Implementation |
Applicable Platforms
| Type | Class | Name | Prevalence |
|---|---|---|---|
| Language | Not Language-Specific |
Relationships
| View | Weakness | |||||||
|---|---|---|---|---|---|---|---|---|
| # ID | View | Status | # ID | Name | Abstraction | Structure | Status | |
| CWE-1000 | Research Concepts | Draft | CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | Class | Simple | Draft | |
| CWE-1003 | Weaknesses for Simplified Mapping of Published Vulnerabilities | Incomplete | CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | Class | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-346 | Origin Validation Error | Class | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-472 | External Control of Assumed-Immutable Web Parameter | Base | Simple | Draft | |
| CWE-1000 | Research Concepts | Draft | CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | Class | Simple | Draft | |
Common Attack Pattern Enumeration and Classification (CAPEC)
The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
CAPEC at Mitre.org| # ID | Name | Weaknesses |
|---|---|---|
| CAPEC-21 | Exploitation of Trusted Identifiers | CWE-384 |
| CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies | CWE-384 |
| CAPEC-39 | Manipulating Opaque Client-based Data Tokens | CWE-384 |
| CAPEC-59 | Session Credential Falsification through Prediction | CWE-384 |
| CAPEC-60 | Reusing Session IDs (aka Session Replay) | CWE-384 |
| CAPEC-61 | Session Fixation | CWE-384 |
| CAPEC-196 | Session Credential Falsification through Forging | CWE-384 |
CVEs Published
CVSS Severity
CVSS Severity - By Year
CVSS Base Score
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |
Loading...