Detailed attack pattern

Draft

CAPEC-60: Reusing Session IDs (aka Session Replay)

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

Last updated June 1, 2026

High

Typical severity

Per MITRE

High

Likelihood of attack

Per MITRE

10

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

CAPEC-60 (Reusing Session IDs (aka Session Replay)) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
The attacker interacts with the target host and finds that session IDs are used to authenticate users.
Step 2
Explore
The attacker steals a session ID from a valid user.
Step 3
Exploit
The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.

What the attacker needs

Prerequisites

The target host uses session IDs to keep track of the users.
Session IDs are used to control access to resources.

The session IDs used by the target host are not well protected from session theft.

Skills required

Low skill: If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.
Medium skill: More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.

Consequences

What a successful CAPEC-60 attack can achieve.

Gain Privileges

Affects: Confidentiality, Access Control, Authorization

How to mitigate it

Defenses that reduce the risk of CAPEC-60.

Always invalidate a session ID after the user logout.
Setup a session time out for the session IDs.
Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).
Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.
Encrypt the session data associated with the session ID.
Use multifactor authentication.

Examples

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428

Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258

Terminology & mappings

Mapped taxonomies

ATTACK: Access Token Manipulation:Token Impersonation/Theft (1134.001)
ATTACK: Use Alternate Authentication Material:Web Session Cookie (1550.004)

Frequently asked questions

Common questions about CAPEC-60.

What is CAPEC-60?

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

How does a Reusing Session IDs (aka Session Replay) attack work?

It typically unfolds over 3 phases. It begins with: The attacker interacts with the target host and finds that session IDs are used to authenticate users.

How do you prevent CAPEC-60?

Always invalidate a session ID after the user logout.

What weaknesses does CAPEC-60 target?

CAPEC-60 exploits 10 CWE weaknesses, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-285 (Improper Authorization), CWE-290 (Authentication Bypass by Spoofing), CWE-294 (Authentication Bypass by Capture-replay).

How severe is CAPEC-60?

MITRE rates CAPEC-60 as High severity with high likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-60

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing