This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Session Prediction"
(→Description) |
(→Examples) |
||
Line 10: | Line 10: | ||
==Examples == | ==Examples == | ||
− | + | The session ID information for a certain application is normally composed by a string of fixed width. Randomness is very important to avoid its prediction. | |
− | The session ID information for a certain application is normally composed by a string of fixed width | + | Looking at the example in Figure 1, the session ID variable is represented by JSESSIONID and its value is “user01”, which corresponds to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication. |
− | Looking at the example in Figure 1, the session ID variable is represented by JSESSIONID and its value is “user01”, | ||
<center> | <center> | ||
Line 19: | Line 18: | ||
Figure 1. Predictable cookie | Figure 1. Predictable cookie | ||
</center> | </center> | ||
− | |||
==External References== | ==External References== |
Revision as of 00:39, 17 February 2009
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
The session prediction attack focuses on predicting session ID values that permit an attacker to bypass the authentication schema of an application. By analyzing and understanding the session ID generation process, an attacker can predict a valid session ID value and get access to the application.
In the first step, the attacker needs to collect some valid session ID values that are used to identify authenticated users. Then, he must understand the structure of session ID, the information that is used to create it, and the encryption or hash algorithm used by application to protect it. Some bad implementations use sessions IDs composed by username or other predictable information, like timestamp or client IP address. In the worst case, this information is used in clear text or coded using some weak algorithm like base64 encoding.
In addition, the attacker can implement a brute force technique to generate and test different values of session ID until he successfully gets access to the application.
Examples
The session ID information for a certain application is normally composed by a string of fixed width. Randomness is very important to avoid its prediction. Looking at the example in Figure 1, the session ID variable is represented by JSESSIONID and its value is “user01”, which corresponds to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication.
Figure 1. Predictable cookie
External References
http://www.iss.net/security_center/advice/Exploits/TCP/session_hijacking/default.htm
http://en.wikipedia.org/wiki/HTTP_cookie
Related Threats
Related Attacks
Related Vulnerabilities
Category:Input Validation Vulnerability
Related Countermeasures
Category:Session Management Control