General Information

Multiphase Process Bypass via Session Puzzling

Variants:
Direct 

Also Known As:
Session Variable Overloading

Vector Type:
Attack

Relevance:
Generic

Layer:
Application-Level

Platforms:
Any

Target Type:
Application

Affected Mechanisms:
Session Management

Invented In:
01/05/2011

Added In:
04/12/2014

Quick Introduction to the Topic:


Vector Operation Method:
Attackers can abuse hardcoded default session values or multiple components relying on identical session attributes to bypass the authentication enforcement mechanism via abnormal access sequences. Flow oriented session puzzling attacks rely on performing multiple multiphase processes that rely on similar session flags - simultaneously, while making use of forced browsing in customized sequences, and usually without relying on session poisoning, and thus, are harder to identify in web application firewalls.


Direct Variant:

Multiphase Process Bypass via Session Puzzling

Variant Title:
Multiphase Process Bypass via Session Puzzling

Typical Severity:
Major

Learn More: