Invalidating any existing session

Base - a weakness that is described in an abstract fashion, but with sufficient details to infer specific methods for detection and prevention.More general than a Variant weakness, but more specific than a Class weakness.This information is often useful in understanding where a weakness fits within the context of external information sources.

invalidating any existing session-29

The table(s) below shows the weaknesses and high level categories that are related to this weakness.

These relationships are defined as Child Of, Parent Of, Member Of and give insight to similar items that may exist at higher and lower levels of abstraction.

The less well known the site is, the lower the odds of an interested victim using the public terminal and the lower the chance of success for the attack vector described above.

The biggest challenge an attacker faces in exploiting session fixation vulnerabilities is inducing victims to authenticate against the vulnerable application using a session identifier known to the attacker.

In order to exploit the code above, an attacker could first create a session (perhaps by logging into the application) from a public terminal, record the session identifier assigned by the application, and reset the browser to the login page.

Next, a victim sits down at the same public terminal, notices the browser open to the login page of the site, and enters credentials to authenticate against the application.If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.This Member Of Relationships table shows additional CWE Categories and Views that reference this weakness as a member.The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list.For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.The most common technique employed by attackers involves taking advantage of cross-site scripting or HTTP response splitting vulnerabilities in the target site [12].

Tags: , ,