Naziv
|
Session Credential Falsification through Prediction
|
Sažetak
|
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
|
Preduvjeti
|
The target host uses session IDs to keep track of the users.|Session IDs are used to control access to resources.|The session IDs used by the target host are predictable. For example, the session IDs are generated using predictable information (e.g., time).
|
Rješenja
|
['Use a strong source of randomness to generate a session ID.', 'Use adequate length session IDs', 'Do not use information available to the user in order to generate session ID (e.g., time).', 'Ideas for creating random numbers are offered by Eastlake [RFC1750]', 'Encrypt the session ID if you expose it to the user. For instance session ID can be stored in a cookie in encrypted format.']
|