Penetration Testing mailing list archives
Re: Strange cookies
From: Marco Ivaldi <raptor () mediaservice net>
Date: Thu, 24 Apr 2008 10:16:08 +0200 (ora solare Europa occidentale)
Dirk, On Wed, 23 Apr 2008, Dirk Reimers wrote:
Hi all,
[snip]
Does anybody of you guys have some experiences in testing the randomness of cookies? Maybe any tools like n-gram analysis that work with a bounch of numbers?
You may want to try these free tools: http://portswigger.net/sequencer/ http://lcamtuf.coredump.cx/stompy.tgz http://www.owasp.org/index.php/Category:OWASP_WebScarab_ProjectFuthermore, most commercial web application testing suites also include their own tool for analyzing the degree of randomness in session tokens, AFAIK.
Some other useful resources on this subject: http://blog.portswigger.net/2007/10/introducing-burp-sequencer.html http://seclists.org/bugtraq/2007/Jan/0626.html http://www.owasp.org/index.php/Testing_for_Session_Management_Schema http://www.xs4all.nl/~scusi/SessionID-release/www/index.html https://addons.mozilla.org/it/firefox/addon/573 Hope this helps. Cheers, -- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Strange cookies Dirk Reimers (Apr 23)
- Re: Strange cookies Marco Ivaldi (Apr 24)