CAPEC-21 : Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
https://capec.mitre.org/data/definitions/21.htmlRelated CWE definitions
The J2EE application is configured to use an insufficient session ID length.
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
The product does not properly verify that the source of data or communication is valid.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
The web application uses persistent cookies, but the cookies contain sensitive information.
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Please note that CAPEC definitions are provided as a quick reference only.
Visit http://capec.mitre.org/ for a complete list of CAPEC entries
and more information.