Understanding Risks of Brute Forcing Session IDs in Web Applications

Almost all of today's "stateful" web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms -- . . . Almost all of today's "stateful" web-based applications use session IDs to associate a group of online actions with a specific user. This has security implications because many state mechanisms that use session IDs also serve as authentication and authorization mechanisms -- purposes for which they were not well designed. In this paper, iDEFENSE Labs focused on the ease with which many of today's common web applications can be brute-forced, allowing an attacker to steal a legitimate user's credentials without ever having to guess their password.