This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Insufficient Session-ID Length"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) |
||
| Line 2: | Line 2: | ||
==Description== | ==Description== | ||
| + | The session-ID is not long enough to prevent brute-force session ID guessing attacks. It should be at least 128-bit long. | ||
==Examples == | ==Examples == | ||
==Related Threats== | ==Related Threats== | ||
| + | * Attackers that are try to obtain a valid session id for [[Session hijacking]]. | ||
==Related Attacks== | ==Related Attacks== | ||
| + | * [[Brute-force attack]] | ||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
| + | * [[Insufficient cryptographic key length]] | ||
==Related Countermeasures== | ==Related Countermeasures== | ||
Revision as of 18:29, 29 June 2006
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Description
The session-ID is not long enough to prevent brute-force session ID guessing attacks. It should be at least 128-bit long.
Examples
Related Threats
- Attackers that are try to obtain a valid session id for Session hijacking.
Related Attacks
Related Vulnerabilities
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
