PaulDotCom mailing list archives
Finding the common thread...
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Mon, 15 Jun 2009 13:32:57 +0100
Hi, You might want to do some statistical analysis on the values for the session ID. One crude way is to plot session ID over time to see if the value always ascends and look for other patterns. WebScarab will do this for you while you run the crawler over a page that sets the session ID. http://www.owasp.org/index.php/How_to_test_session_identifier_strength_with_WebScarab 5-10 characters does seem very short for a session ID and possible within the realms of brute-force attacks if you can reduce the keyspace you need to search. Can you give an example of what the session IDs looks like? Regards, Jim 2009/6/15 <christopher.riley at r-it.at>
As part of some research I'm doing I've started looking at the method used to create session keys within a custom coded program. As I don't have access to the source-code (and never likely will) I've been doing my best to figure out the process from the information I have to hand. Due to the fact that the session ID's created can never repeat (all sessions are logged to a SQL database using the session ID as the Primary Key, duplicates therefore cause a database error) it seems very possible that the session ID's are created based on a mathematical formular using the timestamp as input. By mixing multiple inputs (such as username/password/system name etc...) the program runs the risk of creating a SessionID that already exists. This is were my problem starts. In order to prove the theory, I need to find how the timestamp is manipulated to create the SessionID. I have access to the logfile containing 35,000+ valid sessionID's and the timestamp of the logon. Given these two linked piece of information, what can be done (in a automated or semi-automated fashion) to find any common threads between these values ? Additional Info .: The timestamp is a standard unix timestamp. The web-application is C based (CGI), and the resulting SessionID's vary between 5 and 10 characters in length (there is no visual pattern between the length and the timestamp). Any ideas ? Chris ---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090615/cf3fcaff/attachment.htm
Current thread:
- Cool things to inject via XSS Adrian Crenshaw (May 28)
- Cool things to inject via XSS Michael McGrew (May 28)
- Cool things to inject via XSS Jim Halfpenny (May 28)
- Cool things to inject via XSS christopher.riley at r-it.at (May 29)
- Cool things to inject via XSS Michael Douglas (May 29)
- Cool things to inject via XSS packetjack (May 29)
- Cool things to inject via XSS Adrian Crenshaw (May 29)
- Cool things to inject via XSS Robin Wood (May 30)
- Finding the common thread... christopher.riley at r-it.at (Jun 15)
- Finding the common thread... Jim Halfpenny (Jun 15)
- Finding the common thread... christopher.riley at r-it.at (Jun 16)
- Cool things to inject via XSS Michael Douglas (May 29)