Predictable Session ID


Description

The application uses a predictable session ID. Session IDs are how the application tracks users across page requests per HTTP state management as defined in RFC 6265.  If the method of generating session IDs is predictable, attackers can predict future IDs and use them to gain access to valid user sessions.

Impact

Attackers who can predict session IDs can hijack sessions for multiple users and gain access to their accounts. Once an attacker hijacks a session, they can gain access to sensitive or personal data and potentially change the account password in order to establish longer term access to the application.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database