CAPEC-226

Session Credential Falsification through Manipulation
Medio
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Alerta para un CAPEC
Manténgase informado sobre cualquier cambio en un CAPEC específico.
Gestionar notificaciones

Descripciones CAPEC

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.

Informaciones CAPEC

Prerrequisitos

The targeted application must use session credentials to identify legitimate users.

Recursos requeridos

An attacker will need tools to sniff existing credentials (possibly their own) in order to retrieve a base credential for modification. They will need to understand how the components of the credential affect server behavior and how to manipulate this behavior by changing the credential. Finally, they will need tools to allow them to craft and transmit a modified credential.

Debilidades relacionadas

CWE-ID Nombre de la debilidad

CWE-565

 Reliance on Cookies without Validation and Integrity Checking
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

CWE-472

 External Control of Assumed-Immutable Web Parameter
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

Envío

Nombre Organización Fecha Fecha de lanzamiento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificaciones

Nombre Organización Fecha Comentario
CAPEC Content Team The MITRE Corporation 2019-04-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.