Penetration Testing mailing list archives
Re: SessionID analysis tools/methods?
From: "rajat swarup" <rajats () gmail com>
Date: Tue, 14 Oct 2008 10:06:56 -0400
On Mon, Oct 13, 2008 at 12:02 PM, <lister () lihim org> wrote:
In Webscarab, I notice that the entire item is compared as a whole, how do I break the JSESSION into pieces, or determine which of the entire string is random (ie. if the JSESSION uses 0000 at the beginning how do I find out which parts of the entire string are static, or not as random? I've seen some people use the SESSIONID to store information about the app (ie. append, pre-pend information with the randomness somewhere in-between) I'd be interested in any other tools (gui or non-gui) to analyse randomness of SessionIDs. On a more theoretical level, what mathematical/statistical tests should be conducted against the data.
Due to quirkiness of the tools I generally try to use curl and bash to collect a bunch of session IDs. Once you have that you could use either excel or openoffice to create graphs to get you the patterns. A sample script could look like this: for i in`seq 100` do sessid=`curl -d "username=username&password=password&whatever=youneed" -k -i https://www.example.com/login| grep -i session` echo $sessid done You could awk out the output the way you please. Paste into xls and goto Insert -> Chart -> Line. Select the rows of pasted session IDs into xls and you get a nice looking customized graph for session ID analysis. This works for most cases where you might need custom tools to get a decent output. Just my two cents, Rajat. -- Rajat Swarup http://rajatswarup.blogspot.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- SessionID analysis tools/methods? lister (Oct 13)
- Re: SessionID analysis tools/methods? Ahmet Ozturk (Oct 13)
- Re: SessionID analysis tools/methods? Meenal Mukadam (Oct 13)
- Re: SessionID analysis tools/methods? security curmudgeon (Oct 13)
- Re: SessionID analysis tools/methods? rajat swarup (Oct 14)