General Information

User Impersonation via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading, Session Poisoning

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Session Management

Invented In:
01/05/2011

Added In:
04/12/2014

Quick Introduction to the Topic:


Vector Operation Method:
Malicious users can abuse hardcoded session identities or multiple components relying on identical identity session attributes to impersonate specific users in various sections of the application. Logical session puzzling attacks make use of forced browsing in customized sequences, hardcoded default session attributes, and in many cases, session poisoning.


Direct Variant:

User Impersonation via Session Puzzling

Variant Title:
User Impersonation via Session Puzzling

Typical Severity:
Major

Learn More: