This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Session Prediction"

Jump to: navigation, search
Line 49: Line 49:
==Related Countermeasures==
==Related Countermeasures==
[[:Category:Session Management]]
[[:Category:Session Management Control]]
[[Category:Session Management]]
[[Category:Session Management Attack]]

Revision as of 18:29, 27 October 2008

This is an Attack. To view all attacks, please see the Attack Category page.


The session prediction attack focus on predict session ID values that permits an attacker to bypass authentication schema of certain application. By analyzing and understanding the session ID generation process, an attacker can predict a valid session ID value and get access to the application.

In the first step, the attacker needs to collect some valid session IDs values that are used to identify authenticated users. Then, he must understand the structure of session ID, the information that is used to create it and the encryption or hash algorithm used by application to protect it, if it’s the case. Some bad implementation use sessions IDs composed by username or other predictable information, like timestamp or client IP address. In the worst case, this information are used in clear text or coded using some weak algorithm like base64 encoding.

In addition, the attacker can implement a brute force technique to generate and test different values of session ID until he successfully gets access to the application.


The session ID information for a certain application is normally composed by a string of fixed width, which randomness is very important to avoid its prediction. Looking at the example in Figure 1, the session ID variable is represented by JSESSIONID and its value is “user01”, that correspond to the username. By trying new values for it, like “user02”, it could be possible to get inside the application without prior authentication.

Predictable cookie.JPG

Figure 1. Predictable cookie

External References

Related Threats

Category: Authorization

Related Attacks

Related Vulnerabilities

Category:Input Validation Vulnerability

Related Countermeasures

Category:Session Management Control