Brute Forcing Session ID / Session Prediction
In web applications, after a user logs in, a session id is generated and returned to the user's browser as cookies, hidden form fields, or URL query parameters.
When the user tries to access the other resources of the web application, she does not have to log in again as the stored session id will be sent back to the server as credentials.
Many web sites generate session IDs using proprietary algorithms. These proprietary algorithms might generate session IDs by simply incrementing a static number. These proprietary algorithms usually do not consider more complex procedures such as factoring in time, client IP, and other specific variables.
A session brutal forcing (session prediction) attack is to determine the value of the session id by using an automated process to try a large number of possible session id values.
If the session id is correctly determined, the hacker will be able to hijack the session to access the resources of the web application just as a logged-in user.
How Does It Work
- The hacker has knowledge of the proprietary algorithm for session id generation.
- The hacker iterates the access to the web resources with different session id values.
If the value space of the session id is not large enough and not random enough, and the web application does not limit unsuccessful access attempts, then the hacker may be able to eventually find out the correct session id value and gain access into your application.