Penetration Testing mailing list archives
Re: SessionID analysis tools/methods?
From: "Ahmet Ozturk" <oahmet () gmail com>
Date: Mon, 13 Oct 2008 23:27:04 +0300
Hi, Stompy (Michal Zalwski) is a great tool to analyze SESSIONID. You can download it from: http://lcamtuf.coredump.cx/soft/stompy.tgz Here is the related part of the README file: - Automatically detects session IDs encoded as URLs, cookies, as well as as form inputs, then collects a statistially significant sample of data without any user interaction (but can also accept preformated data from external sources), - Automatically determines alphabet structure to transparently handle base64, uuencode, base32, decimal, hex, or any other sane encoding scheme, including mixed encodings. What's big is that it can handle fractional-bit alphabets (ones that do not consist of power-of-2 elements), which normally cannot be directly mapped to binary, - After carrying out a couple of trivial alphabet-based tests, stompy then splits the samples into temporally separated bitstreams (stream 1: bit 0 of sample 1, bit 0 of sample 2, bit 0 of sample 3...; stream 2: bit 1 of sample 1, bit 1 of sample 2, bit...) to individually evaluate how bits change in time, and how much entropy they contribute to the identifier. - To detect weaknesses in each of the bitstreams, the tool launches NIST FIPS-140-2 PRNG evaluation tests on the collected data, as well as a bunch of n-dimensional phase analysis attempts (spectral tests) aimed to find PRNG hyperplanes and other types of non-trivial data correlation. - Lastly, the tool performs series of spatial correlation checks to identify dependencies between neighboring bits in each of the tokens, - A final report on the number of correct and anomalous bits is then prepared, and an estimate on the number of "untainted" entropy is assigned a human-readable rating. Best Regards, Ahmet Ozturk PRO-G Information Security & Research Ltd http://www.pro-g.com.tr ---- On 10/13/08, lister () lihim org <lister () lihim org> wrote:
In Webscarab, I notice that the entire item is compared as a whole, how do I break the JSESSION into pieces, or determine which of the entire string is random (ie. if the JSESSION uses 0000 at the beginning how do I find out which parts of the entire string are static, or not as random? I've seen some people use the SESSIONID to store information about the app (ie. append, pre-pend information with the randomness somewhere in-between) I'd be interested in any other tools (gui or non-gui) to analyse randomness of SessionIDs. On a more theoretical level, what mathematical/statistical tests should be conducted against the data. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- SessionID analysis tools/methods? lister (Oct 13)
- Re: SessionID analysis tools/methods? Ahmet Ozturk (Oct 13)
- Re: SessionID analysis tools/methods? Meenal Mukadam (Oct 13)
- Re: SessionID analysis tools/methods? security curmudgeon (Oct 13)
- Re: SessionID analysis tools/methods? rajat swarup (Oct 14)