TID-321: HTTP Application Session Hijacking

Threat Description

A threat actor can hijack an insufficiently protected HTTP session token to gain unauthorized access to a device. HTTP session tokens can be obtained by a threat actor if they’re sent unencrypted over the network or if the site is vulnerable to cross-site scripting (XSS).

Threat Maturity and Evidence

Known Exploitable Weakness
ATT&CK T1539 Steal Web Session Cookie
“An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.”

CWE

CWE-384: Session Fixation (Composite)
“Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.”

CVE

Siemens SICAM Q100 - CVE-2022-43398
Siemens SICAM Q100 devices does not renew session tokens/cookies between logins.

MOXA NPort IAW5000A-I/O Series - CVE-2020-25198
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower has incorrectly implemented protections from session fixation, which may allow an attacker to gain access to a session and hijack it by stealing the user’s cookies.