- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Credential/Session Prediction is an attack technique that surreptitiously obtains data about an authorized visitor to a website. This attack takes advantage of the fact that many websites authenticate and track a user when communication is first established. To do this, users must prove their identity to the website, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, websites will generate a unique "session ID" to identify the user session as authenticated. Subsequent communication between the user and the website is tagged with the session ID as "proof" of the authenticated session.
With a successful Credential/Session Prediction, the attacker can impersonate the website user by deducing or guessing the unique value that identifies that user. Also known as session hijacking, this allows the attacker to issue website requests with the compromised user’s privileges, allowing fraudulent activity to occur.
Insufficient Session Expiration is when a website authorizes an attacker to reuse old session credentials or session IDs for authorization. Insufficient Session Expiration increases a web site's exposure to attacks that steal or impersonate other users.