CAPEC | Related Weakness |
Manipulating Opaque Client-based Data Tokens |
CWE-233 | Improper Handling of Parameters |
CWE-285 | Improper Authorization |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
CWE-353 | Missing Support for Integrity Check |
CWE-384 | Session Fixation |
CWE-472 | External Control of Assumed-Immutable Web Parameter |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
|
Session Fixation |
CWE-361 | 7PK - Time and State |
CWE-384 | Session Fixation |
CWE-664 | Improper Control of a Resource Through its Lifetime |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|
Exploitation of Trusted Credentials |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-290 | Authentication Bypass by Spoofing |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-602 | Client-Side Enforcement of Server-Side Security |
CWE-642 | External Control of Critical State Data |
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
Session Credential Falsification through Prediction |
CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-290 | Authentication Bypass by Spoofing |
CWE-330 | Use of Insufficiently Random Values |
CWE-331 | Insufficient Entropy |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-488 | Exposure of Data Element to Wrong Session |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-693 | Protection Mechanism Failure |
CWE-719 | OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Session Credential Falsification through Forging |
CWE-384 | Session Fixation |
CWE-664 | Improper Control of a Resource Through its Lifetime |
|
Accessing/Intercepting/Modifying HTTP Cookies |
CWE-20 | Improper Input Validation |
CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
CWE-302 | Authentication Bypass by Assumed-Immutable Data |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
CWE-384 | Session Fixation |
CWE-472 | External Control of Assumed-Immutable Web Parameter |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
CWE-602 | Client-Side Enforcement of Server-Side Security |
CWE-642 | External Control of Critical State Data |
CWE-724 | OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Reusing Session IDs (aka Session Replay) |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
CWE-285 | Improper Authorization |
CWE-290 | Authentication Bypass by Spoofing |
CWE-294 | Authentication Bypass by Capture-replay |
CWE-346 | Origin Validation Error |
CWE-384 | Session Fixation |
CWE-488 | Exposure of Data Element to Wrong Session |
CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
CWE-664 | Improper Control of a Resource Through its Lifetime |
CWE-732 | Incorrect Permission Assignment for Critical Resource |
|