logo

J2EE Misconfiguration: Insufficient Session-ID Length

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when a J2EE application uses session identifiers that are too short, making them easier for attackers to predict or capture.

Extended Description

Session IDs that are too short drastically reduce the number of possible combinations, making them vulnerable to brute-force guessing or enumeration attacks. When an attacker successfully guesses or steals a valid session ID, they can impersonate the legitimate user and hijack their active session, potentially gaining unauthorized access to sensitive data or privileged functions. To prevent this, developers must ensure session IDs are generated with sufficient length and entropy, typically using a secure random number generator. Longer session IDs exponentially increase the possible values, making them computationally infeasible to guess and significantly raising the security barrier against session hijacking attempts.
Common Consequences 1
Scope: Access Control

Impact: Gain Privileges or Assume Identity

If an attacker can guess an authenticated user's session identifier, they can take over the user's session.
Potential Mitigations 2
Phase: Implementation
Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A shorter session identifier leaves the application open to brute-force session guessing attacks.
Phase: Implementation
A lower bound on the number of valid session identifiers that are available to be guessed is the number of users that are active on a site at any given moment. However, any users that abandon their sessions without logging out will increase this number. (This is one of many good reasons to have a short inactive session timeout.) With a 64 bit session identifier, assume 32 bits of entropy. For a large web site, assume that the attacker can try 1,000 guesses per second and that there are 10,000 valid session identifiers at any given moment. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is less than 4 minutes. Now assume a 128 bit session identifier that provides 64 bits of entropy. With a very large web site, an attacker might try 10,000 guesses per second with 100,000 valid session identifiers available to be guessed. Given these assumptions, the expected time for an attacker to successfully guess a valid session identifier is greater than 292 years.
Demonstrative Examples 1

ID : DX-47

The following XML example code is a deployment descriptor for a Java web application deployed on a Sun Java Application Server. This deployment descriptor includes a session configuration property for configuring the session ID length.

Code Example:

Bad
XML
xml
This deployment descriptor has set the session ID length for this Java web application to 8 bytes (or 64 bits). The session ID length for Java web applications should be set to 16 bytes (128 bits) to prevent attackers from guessing and/or stealing a session ID and taking over a user's session.
Note for most application servers including the Sun Java Application Server the session ID length is by default set to 128 bits and should not be changed. And for many application servers the session ID length cannot be changed from this default setting. Check your application server documentation for the session ID length default setting and configuration options to ensure that the session ID length is set to 128 bits.
References 2
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Hold Your Sessions: An Attack on Java Session-id Generation
Zvi Gutterman
13-02-2005
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/gm05.pdf(2023-04-07)
ID: REF-482
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Small Space of Random Values (CWE-334)
Taxonomy Mapping
  • 7 Pernicious Kingdoms