General Information

Authentication Bypass via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Session Management

Invented In:
01/05/2011

Added In:
04/12/2014

Quick Introduction to the Topic:


Vector Operation Method:
Attackers can abuse hardcoded default session values or multiple components relying on identical session attributes to bypass the authentication enforcement mechanism via abnormal access sequences. Logical session puzzling attacks make use of forced browsing in customized sequences, hardcoded default session attributes, and in many cases, session poisoning.


Direct Variant:

Authentication Bypass via Session Puzzling

Variant Title:
Authentication Bypass via Session Puzzling

Typical Severity:
Major

Learn More: