Session ID Attacks

The Dark Side Attack

by Chance Hoggan
of http://www.blackberryseo.com/

Last updated: 19 Dec 2006

There will always be a darker shade than white to SEO no matter how much Google tweak their algorithm. It can be to improve search engine positions or to knock your competitor clean out the game.

Google claim that there’s nothing a competitor can do that can affect your Rankings or damage your site but coming in this article is a little search engine exploit I made earlier that knocks your competitor into supplemental.

We have had Google bowling in the past and many more but mostly required lots of links to do damage but this little exploit can be done quickly with few ingredients.

Ok… enough of that gibberish and lets get on with it.

On dynamic sites take PHP driven sites for example as I am going to demonstrate how this is achieved on a php site. You have sessions now even if the session(); is enabled in the code or not you can still reference a made up Session ID and it will return a page.

For instance, if the page we are working with is:

http://www.site.com/products.php

There is no horrible session id on that URL but I can type in:

http://www.site.com/products.php?PHPSESSID=4116817de867be2901094a9e06836560

And it will return the same page as the first link. All that’s required is you create 10 random numbers and Link to them from an external source and you in effect create duplicate content.

OYSTER WEB NOTE:

This technique is ethically very questionable, and we do not condone its use. However, we have published this article here as our next article will discuss how to protect yourself against this kind of session id attack.