Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad

[Chris Keladis <Chris.Keladis () CMC CWO NET AU>]

Hi Anthony,

Yes i am very curious to understand this better myself.

More specifically, i am interested in understanding the SITESERVER cookies
(IIS?) sets.

It seems almost all major sites use them, and there have been published
vulnerabilities against them, but i would like to understand if the jargon
in the cookie has some meaning, or is it just a garbled string to
essentially "maintain state" ?

One (insecure) way some sites encrypt their cookies is using base64
encoding of the information, others use XOR, MD5 and other kinds of
encryptions, or "bit-shifts".

You need to firstly look at the encoded cipher, see if you can identify a
common format, if that fails perhaps a brute force of most major formats.
Failing that, a more analytical analysis may be necessary.



Cheers,

Chris.

At 04:44 PM 12/18/00 -0500, Ruso, Anthony wrote:

> Hi All,
>
>         What are common methods used in decrypting/encrypting cookies. Would
> many of you trust the use of cookies to store - lets say - passwords and
> personal information. I'm trying to extract passwords from a clients website
> through the use of cookies. They used to store website passwords in clear
> text. I managed to convince them to encrypt them but how can I test their
> encryption choice and methods. My crypt-analysis experience is very basic.
> Any feedback would be greatly appreciated.
>
> Thanks

Chris Keladis

System/Security Administrator
Custom Management Centre
Cable & Wireless Optus.

Phone: (02) 9775-5312
Mobile: (0402) 067-375
E-Mail: Chris.Keladis () cmc cwo net au