Project: WASC Threat Classification
Threat Type: Attack
Reference ID: WASC-18
Credential/Session Prediction is a method of hijacking or impersonating a web site user. Deducing or guessing the unique value that identifies a particular session or user accomplishes the attack. Also known as Session Hijacking, the consequences could allow attackers the ability to issue web site requests with the compromised user’s privileges.
Many web sites are designed to authenticate and track a user when communication is first established. To do this, users must prove their identity to the web site, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, web sites will generate a unique “session ID” to identify the user session as authenticated. Subsequent communication between the user and the web site is tagged with the session ID as “proof” of the authenticated session. If an attacker is able predict or guess the session ID of another user, fraudulent activity is possible.