Re: Strange cookies

[Marco Ivaldi <raptor () mediaservice net>]

Dirk,

On Wed, 23 Apr 2008, Dirk Reimers wrote:

> Hi all,

[snip]

> Does anybody of you guys have some experiences in testing the randomness 
> of cookies? Maybe any tools like n-gram analysis that work with a bounch 
> of numbers?

You may want to try these free tools:

http://portswigger.net/sequencer/
http://lcamtuf.coredump.cx/stompy.tgz
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Futhermore, most commercial web application testing suites also include 
their own tool for analyzing the degree of randomness in session tokens, 
AFAIK.

Some other useful resources on this subject:

http://blog.portswigger.net/2007/10/introducing-burp-sequencer.html
http://seclists.org/bugtraq/2007/Jan/0626.html
http://www.owasp.org/index.php/Testing_for_Session_Management_Schema
http://www.xs4all.nl/~scusi/SessionID-release/www/index.html
https://addons.mozilla.org/it/firefox/addon/573

Hope this helps. Cheers,

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------