Multiphase Process Bypass via Session Puzzling
Variants:
Direct
Also Known As:
Session Variable Overloading
Vector Type:
Attack
Relevance:
Generic
Layer:
Application-Level
Platforms:
Any
Target Type:
Application
Affected Mechanisms:
Session Management
Invented In:
01/05/2011
Added In:
04/12/2014
Quick Introduction to the Topic:
Vector Operation Method:
Attackers can abuse hardcoded default session values or multiple components relying on identical session attributes to bypass the authentication enforcement mechanism via abnormal access sequences. Flow oriented session puzzling attacks rely on performing multiple multiphase processes that rely on similar session flags - simultaneously, while making use of forced browsing in customized sequences, and usually without relying on session poisoning, and thus, are harder to identify in web application firewalls.
