Credential/Session Prediction is an attack technique that surreptitiously obtains data about an authorized visitor to a website. This attack takes advantage of the fact that many websites authenticate and track a user when communication is first established. To do this, users must prove their identity to the website, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, websites will generate a unique "session ID" to identify the user session as authenticated. Subsequent communication between the user and the website is tagged with the session ID as "proof" of the authenticated session.
With a successful Credential/Session Prediction, the attacker can impersonate the website user by deducing or guessing the unique value that identifies that user. Also known as session hijacking, this allows the attacker to issue website requests with the compromised user’s privileges, allowing fraudulent activity to occur.