Session ID Prediction
Session prediction, also known as Credential prediction, is an attack that exploits predictable session ID generation. If a web application creates new session IDs using deterministic schemes such as usernames or an incrementing integer, an attacker can guess another user’s session ID and use it to access the user’s account on the website.
Attack Vector
The goal of this attack is to find a pattern in how the web application generates new session IDs. Some examples of patterns are encodings of usernames, the client’s IP address, time stamps, an incrementing number, etc. Steps in this attack include:The attacker logs on to the website multiple times to generate different valid session IDs. From these, the attacker determines how the generating process works and derives a session ID for another user. The attacker uses this session ID to access the user’s account on the website.
Impact
A successful session prediction attack gives the attacker access to the victim’s account. This could mean access to higher level privileges or the ability to look at sensitive data. Attack Examples
Example 1
After logging in to the cs166 website a few times, Alice notices that her session ID is always the same. She is curious about how it was created so she tries a few different things and learns that her session ID is her username in base64! What a simple scheme! She knows that Bob is currently online so she converts his username, bobisthebest, into base 64 and inputs this as her session ID. Now she is logged into Bob’s session on the cs166 website and has access to all of his secret messages.
Example 2
website.com has a very bad session ID pattern. Eve notices that every time she logs in, her session ID is a random string of 8 integers. She wants access to Bob’s account, so she tells Bob to log in to check out new features on the website. Once he is logged in, Eve brute forces all combinations of 8 integers and inputs them as her session ID until one matches Bob’s current session ID. Now she is logged into Bob’s account!
Defenses
To defend against session prediction attacks, include sources of randomness when generating session IDs. Keep in mind that brute force attacks to crack a session ID are possible, so make sure that the session IDs are complex enough. It is also important to not reuse the same session ID for one user over multiple sessions as this could allow an attacker to easily execute a session prediction attack many times.
Criteria for Demonstration
To demonstrate a successful session prediction attack, show that you can Predict another user’s current session ID based off of a vulnerability in the session ID generating process.Input this session ID into your web browser giving you access to the other user’s session.
Other resources
srowley2