Server Misconfiguration and Predictable Pages

Predictability-based attacks range from guessing that a page=index.html parameter is referencing an HTML file to guessing that a document repository with explicit links to docid=1089 and docid=1090 might also have a page for docid=1091 to figuring out a range of possible session cookie values to efficiently brute force one's way into spoofing a password-protected account. Random numbers play an important role in Web security. Session tokens, the cookie values that uniquely identify each visitor, must be difficult to predict. If the attacker compromises a victim's session cookie, then the attacker can impersonate that user without much difficulty. One method of compromising the cookie is to steal it via a network-sniffing or cross-site scripting attack. Another method would be to guess the value. The Mersenne Twister is a strong pseudorandom number generator (PRNG). A sequence's period defines how long it continues before repeating itself. Sequences with too short of a period can be observed, recorded, and reused by an attacker. Sequences with long periods force the adversary to select alternate attack methods to passive observation.