Welcome to the Session ID Guessing Simulator! This tool simulates how an attacker might attempt to guess session IDs of users on a web application. You can adjust various parameters to see how the number of guesses and time required change under different conditions.
The number of bits (B) defines how many possible session IDs exist (2^B). More bits make guessing harder.
The total number of possible session IDs is: 16
This represents how many valid session IDs are currently in use. The attacker’s goal is to guess one of these.
If provided, we will estimate how long it might take to guess a valid session ID.
Session ID selection method:
With dynamic session IDs, the valid session IDs change after every guess. This simulates users logging in and out frequently.
With static session IDs, the valid session IDs do not change. This simulates long-lasting session IDs, like API keys.
Guessing strategy:
Each guess is chosen randomly. In static mode, random guessing may repeat and be less efficient.
Incremental guessing avoids repeat guesses in static mode and improves efficiency.
Decremental guessing also avoids repeats in static mode, making it more efficient.
More trials give more accurate results but take longer.
Progress: 0%
Average guesses until first success: -
What this means: With the current setup, an attacker would need to make - guesses on average to guess a valid session ID.
Average duration until first success: -