CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
Last updated
Overview
CAPEC-593 (Session Hijacking) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
- Step 2Experiment
[Insert Found Session Token] The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.
- Step 3Exploit
[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.
What the attacker needs
Prerequisites
- An application that leverages sessions to perform authentication.
Skills required
- Low skill: Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.
Resources required
- The adversary must have the ability to communicate with the application over the network.
Consequences
What a successful CAPEC-593 attack can achieve.
Gain Privileges
Affects: Confidentiality, Integrity, Availability
A successful attack can enable an adversary to gain unauthorized access to an application.
How to mitigate it
Defenses that reduce the risk of CAPEC-593.
- Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.
Terminology & mappings
Mapped taxonomies
- ATTACK: Browser Session Hijacking (1185)
- ATTACK: Use Alternate Authentication Material:Application Access Token (1550.001)
- ATTACK: Remote Service Session Hijacking (1563)
- OWASP Attacks: Session hijacking attack
Frequently asked questions
Common questions about CAPEC-593.
- What is CAPEC-593?
- This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.
- How does a Session Hijacking attack work?
- It typically unfolds over 3 phases. It begins with: [Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.
- How do you prevent CAPEC-593?
- Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.
- What weaknesses does CAPEC-593 target?
- CAPEC-593 exploits 1 CWE weakness, including CWE-287 (Improper Authentication).
- How severe is CAPEC-593?
- MITRE rates CAPEC-593 as Very High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-593
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.