Session Brute-Forcing
Overview
In a session brute-forcing attack an attacker tries to guess a
session id valid for some logged in user. This can lead to user account
compromise.
What makes a
site vulnerable?
A website will be vulnerable to session brute-forcing attacks if it
does not generate sufficiently strong session ids. The site will not be
vulnerable only if it is possible to guess the session id in use by some
particular user. It will in fact be vulnerable if it is possible to guess any
session id which is currently valid on the system. If there are many users or
sessions have a long expiry time then there may be many valid session ids. This
will significantly reduce the effort required to guess a session id (compared
to targeting a particular user session).
Impact of the
attack
The primary impact of session brute-forcing attacks is to give an
attacker access to a user’s account. The damage this may allow the attacker to
cause depends on the nature of the site. It may allow him to perform a denial
of service attack on user account access, through modification of the user’s
password (doing so will also give the attacker ongoing access to the account,
beyond session expiry). The attacker will be able to carry out any other
actions permitted by the user’s account, including viewing the user’s personal
data, utilising stored credit cards, etc.
Preventing the
attack
To prevent the attack, session ids should be chosen to be
sufficiently random and long that the probability of prediction will be low,
given realistic assumptions about how many session ids an attacker can feasibly
try.