Session Puzzling is a new type of application-level vulnerabilities that could enable attackers to perform a variety of malicious actions not limited to:
Bypass authentication and authorization enforcement mechanisms
Elevate privileges
Impersonate legitimate users
Avoid flow enforcement restrictions
Execute “traditional attacks” (such as injections) in locations that were previously considered safe
Affect content delivery destination
Cause unexpected application behaviors
Shay Chen, a friend and known security specialist presented this new kind of attack at Israeli local OWASP chapter meeting.
More information could be found here
