Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SessionID analysis tools/methods?

From: "Ahmet Ozturk" <oahmet () gmail com>
Date: Mon, 13 Oct 2008 23:27:04 +0300
Hi,

Stompy (Michal Zalwski) is a great tool to analyze SESSIONID. You can
download it from: http://lcamtuf.coredump.cx/soft/stompy.tgz

 Here is the related part of the README file:

  - Automatically detects session IDs encoded as URLs, cookies, as well as as
    form inputs, then collects a statistially significant sample of data
    without any user interaction (but can also accept preformated data from
     external sources),

  - Automatically determines alphabet structure to transparently handle base64,
    uuencode, base32, decimal, hex, or any other sane encoding scheme,
including
    mixed encodings. What's big is that it can handle fractional-bit alphabets
     (ones that do not consist of power-of-2 elements), which normally cannot be
    directly mapped to binary,

  - After carrying out a couple of trivial alphabet-based tests, stompy then
    splits the samples into temporally separated bitstreams (stream 1: bit 0 of
     sample 1, bit 0 of sample 2, bit 0 of sample 3...; stream 2: bit 1 of
    sample 1, bit 1 of sample 2, bit...) to individually evaluate how
bits change
    in time, and how much entropy they contribute to the identifier.

  - To detect weaknesses in each of the bitstreams, the tool launches NIST
    FIPS-140-2 PRNG evaluation tests on the collected data, as well as
a bunch of
    n-dimensional phase analysis attempts (spectral tests) aimed to find PRNG
     hyperplanes and other types of non-trivial data correlation.

  - Lastly, the tool performs series of spatial correlation checks to identify
    dependencies between neighboring bits in each of the tokens,

  - A final report on the number of correct and anomalous bits is then prepared,
    and an estimate on the number of "untainted" entropy is assigned a
    human-readable rating.

Best Regards,

Ahmet Ozturk
PRO-G Information Security & Research Ltd
http://www.pro-g.com.tr


----
On 10/13/08, lister () lihim org <lister () lihim org> wrote:

In Webscarab, I notice that the entire item is compared as a whole,
 how do I break the JSESSION into pieces, or determine which of the
 entire string is random (ie. if the JSESSION uses 0000 at the beginning
 how do I find out which parts of the entire string are static, or not
 as random?

 I've seen some people use the SESSIONID to store information about the app
 (ie. append, pre-pend information with the randomness somewhere in-between)

 I'd be interested in any other tools (gui or non-gui) to analyse randomness
 of SessionIDs.

 On a more theoretical level, what mathematical/statistical tests should be
 conducted against the data.

 ------------------------------------------------------------------------
 This list is sponsored by: Cenzic

 Security Trends Report from Cenzic
 Stay Ahead of the Hacker Curve!
 Get the latest Q2 2008 Trends Report now

 www.cenzic.com/landing/trends-report
 ------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: