User Impersonation via Session Puzzling
Variants:
Direct
Also Known As:
Session Variable Overloading, Session Poisoning
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Session Management
Invented In:
01/05/2011
Added In:
04/12/2014
Quick Introduction to the Topic:
Vector Operation Method:
Malicious users can abuse hardcoded session identities or multiple components relying on identical identity session attributes to impersonate specific users in various sections of the application. Logical session puzzling attacks make use of forced browsing in customized sequences, hardcoded default session attributes, and in many cases, session poisoning.
