×

Error message

  • Deprecated function: Methods with the same name as their class will not be constructors in a future version of PHP; views_display has a deprecated constructor in require_once() (line 3161 of /home/gleamly/public_html/includes/bootstrap.inc).
  • Deprecated function: Methods with the same name as their class will not be constructors in a future version of PHP; views_many_to_one_helper has a deprecated constructor in require_once() (line 127 of /home/gleamly/public_html/sites/all/modules/ctools/ctools.module).

Session Hijacking Attack: Session Prediction

Session Prediction is a Session Hijacking attack that focuses on predicting session identifiers.

Web applications that use weak methods of generating session identifiers are vulnerable to this attack. Some web applications use session identifiers that are either fixed or easy to predict. If an attacker is able to understand how session identifiers are generated by that server, the attacker can predict a valid session identifier and gain access to that application as the actual user. This method is mostly used when an attacker just wants to gain access to an application and not access to any specific user's account since it will be difficult to predict a session identifier for a specific user.

Detection

In order to detect whether a website is vulnerable to this attack, you first need to review session identifiers from the website and check whether:

  • The website uses fixed session identifiers such as the user's id, username or a combination of some variables as the session identifier.
  • Whether the algorithm used to generate session identifiers are easily predictable

To do this, simply open the website on different browsers - each browser will open a different session on the browser. Now check the website's cookies - this can be done using some tool such as Cookies Manager+ on firefox. Here is an example output (Cookie Manager + Output on Firefox) of a session ID cookie from a website

Session Identifier Cookie

The image above clearly shows that the website uses the user's id and some other text to compose the session cookie.

Attack a Website

Assuming that you've figured out the session id pattern for a website, it's quite easy to attack that website. All that is needed is to inject the session cookie into your browser using a tool like Cookies Manager+. You will need to try a few different session id's until you get a valid session id of a logged in user. After injecting a session id that belongs to a logged in user, just refresh the page and the website will automatically see you as that logged in user and share his/her data with you. Note that one issue with this attack as compared to other forms of session hijacking is that it is very hard to get the session of a specific user, unless the website uses user details to generate the session and you have the necessary details.

Prevention

This attack can be prevented by using a strong algorithm to generate session identifiers to make session identifiers as unpredictable as possible - the most common method being to include some random number in the session id.