Name Session Credential Falsification through Prediction
Summary This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Prerequisites The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).
Solutions Use a strong source of randomness to generate a session ID. Use adequate length session IDs Do not use information available to the user in order to generate session ID (e.g., time). Ideas for creating random numbers are offered by Eastlake [RFC1750] Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.
Related Weaknesses
CWE ID Description
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length
CWE-200 Information Exposure
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-330 Use of Insufficiently Random Values
CWE-331 Insufficient Entropy
CWE-346 Origin Validation Error
CWE-488 Exposure of Data Element to Wrong Session
CWE-539 Information Exposure Through Persistent Cookies
CWE-693 Protection Mechanism Failure
Back to Top