CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length
Incomplete
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: J2EE Misconfiguration: Insufficient Session-ID Length

The J2EE application is configured to use an insufficient session ID length.

Descripción CWE

If an attacker can guess or steal a session ID, then they may be able to take over the user's session (called session hijacking). The number of possible session IDs increases with increased session ID length, making it more difficult to guess or steal a session ID.

Informaciones generales

Detalles de contexto

Modos de introducción

Architecture and Design : COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.
Implementation

Plataformas aplicables

Lenguaje

Name: Java (Undetermined)

Tecnologías

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
Access ControlGain Privileges or Assume Identity

Note: If an attacker can guess an authenticated user's session identifier, they can take over the user's session.

Mitigaciones potenciales

Phases : Implementation
Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.
Phases : Implementation
A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.

Notas de mapeo de vulnerabilidades

Justificación : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comentario : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-21 Exploitation of Trusted Identifiers
CAPEC-59 Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Referencias

REF-6

Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, Gary McGraw.
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf

REF-482

Hold Your Sessions: An Attack on Java Session-id Generation
Zvi Gutterman.
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gm05.pdf

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
7 Pernicious Kingdoms 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2008-10-14 +00:00 updated Background_Details, Description
CWE Content Team MITRE 2009-05-27 +00:00 updated Description, Other_Notes, References
CWE Content Team MITRE 2009-10-29 +00:00 updated Background_Details, Common_Consequences, Enabling_Factors_for_Exploitation, Other_Notes, Potential_Mitigations
CWE Content Team MITRE 2010-06-21 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships
CWE Content Team MITRE 2017-11-08 +00:00 updated Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.