Session Prediction
Overview
In a session prediction attack the attacker attempts to reproduce
the session id generation process in use on the website. In doing so, and given
some known (and legitimately obtained) session ids for the website, the attacker
tries to determine other, valid session ids for the website. This can lead to
user account compromise.
What makes a
site vulnerable?
A website will be vulnerable to session prediction attacks if the
sequence of session ids it generates are related in a predictable way. This
predictability will allow the attacker to recreate the sequence of session ids
used by the site. The attacker’s expectation is that some of the session ids in
the sequence will correspond to the session ids associated with currently logged
in users.
Impact of the
attack
The primary impact of session prediction attacks is to give an
attacker access to a user’s account. The damage this may allow the attacker to
cause depends on the nature of the site. It may allow him to perform a denial
of service attack on user account access, through modification of the user’s
password (doing so will also give the attacker ongoing access to the account,
beyond session expiry). The attacker will be able to carry out any other
actions permitted by the user’s account, including viewing the user’s personal
data, utilising stored credit cards, etc.
Preventing the
attack
To prevent the attack, session ids should be generated through a
strong cryptographic process with the property that given any X-1 ids from a
sequence of X ids, it should be computationally infeasible to determine the
remaining unknown id. To achieve this, secret information must be used and
protected from unauthorised disclosure.