• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!


Credential and Session Prediction

Page history last edited by Robert Auger 14 years, 7 months ago

Project: WASC Threat Classification

Threat Type: Attack

Reference ID: WASC-18


Credential/Session Prediction

Credential/Session Prediction is a method of hijacking or impersonating a web site user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue web site requests with the compromised user's privileges.


Many web sites are designed to authenticate and track a user when communication is first established. To do this, users must prove their identity to the web site, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, web sites will generate a unique "session ID" to identify the user session as authenticated. Subsequent communication between the user and the web site is tagged with the session ID as "proof" of the authenticated session. If an attacker is able predict or guess the session ID of another user, fraudulent activity is possible.



Many web sites attempt to generate session IDs using proprietary algorithms. These custom methodologies might generation session IDs by simply incrementing static numbers. Or there could be more complex procedures such as factoring in time and other computer specific variables.

The session ID is then stored in a cookie, hidden form-field, or URL. If an attacker can determine the algorithm used to generate the session ID, an attack can be mounted as follows:

  • attacker connects to the web application acquiring the current session ID.
  • attacker calculates or Brute Forces the next session ID.
  • attacker switches the current value in the cookie/hidden form-field/URL and assumes the identity of the next user.



"iDefense: Brute-Force Exploitation of Web Application Session ID's", By David Endler - iDEFENSE Labs

[1] http://www.cgisecurity.com/lib/SessionIDs.pdf


"Best Practices in Managing HTTP-Based Client Sessions", Gunter Ollmann -

[2] http://www.technicalinfo.net/papers/WebBasedSessionManagement.html


"A Guide to Web Authentication Alternatives", Jan Wolter

[3] http://www.unixpapa.com/auth/homebuilt.html


"Stompy tool", Michal Zalewski

[4] http://lcamtuf.coredump.cx/soft/stompy.tgz


"Ruining Security with java.util.Random", Jan P. Monsch

[5] http://www.iplosion.com/papers/ruining_security_with_java.util.random_v1.0.pdf

Comments (0)

You don't have permission to comment on this page.