- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Session or Credential Prediction (aka Session Hijacking) is a method of hijacking or impersonating an authorized website/application user. With Session/Credential Prediction, the attacker deduces or guesses the unique value that identifies a particular session or user. Also known as session hijacking, these kinds of attacks give attackers the ability to issue website requests with the compromised user's privileges.
Many websites are designed to authenticate and track a user when communication is first established. To do this, users must prove their identity to the website, typically by supplying a username/password (credentials) combination. Rather than passing these confidential credentials back and forth with each transaction, websites generate a unique "session ID" to identify the user session as authenticated. Subsequent communication between the user and the website is tagged with the session ID as "proof" of the authenticated session. If an attacker is able predict or guess the session ID of a valid user, a Session or Credential Prediction attack is possible.