Examples of predictable id sequences could include having a timestamp present in the id value, which can easily be pinpointed by an attacker and if they hijack someone else's session they can easiy determine a distinct pattern between their own and someone's else's session id. Timestamps are typically one of the first things can attacker would look to identify primarily because they are so easily recognized.
Also having values that increment, or have a clear pattern similar to incrementing, included in your session cookies could be just as easily identified by an attacker and used to perform session hijacking.
There are programs which are dedicated to brute forcing session ids if a hacker can narrow down a range. One example of this software is J-Baah (as shown below) which will increment between set values which could be located anywhere within the session id and then it will send the request to the server to verify it's generated session ids it has created to test it.
Alternatives to simply including an incremented value in a session id or a timestamp could be including a randomly generated number, which would make a brute force attack more difficult, or a username in the id.
No comments:
Post a Comment