Penetration Testing mailing list archives
Re: Session ID Analysis
From: "M.D.Mufambisi" <mufambisi () gmail com>
Date: Fri, 13 Aug 2010 06:39:43 +1000
thanks portswigger. I will do that. All im looking for is a scientific way of indeed proving the non randomness of the token and if possible even predict next tokens. i analysed 25000 tokens wat i just posted here were a few so that u get an idea. I will send the entire file soon. On 8/13/10, PortSwigger <mail () portswigger net> wrote:
Burp isn't basing its conclusion on the first 50 bytes which are invariant. It analyses the whole token, and bases its conclusion on the number of bits which pass the statistical tests for randomness. Read the help file for Burp Sequencer to understand exactly how it works. Even if a token contains a lot of invariant material, it can still exhibit strong entropy if there enough other bits which are sufficiently random. But you can't tell whether variant parts of a token are random just by looking - you need to run proper tests or, better, look at the source code for the algorithm. In this instance, the application is serving duplicated successive tokens to you, which will be affecting Burp's analysis. You need to gather samples from two locations simultaneously and first check whether the same token is ever issued to two different users. If so, this is a serious defect in itself. If not, then you should strip the duplicated successive tokens from your sample, and reload it into Sequencer to reanalyse: cat sessids.txt | uniq > sessids2.txt One other point: while Burp will let you run its analysis on a small sample, you should gather several thousand tokens to ensure the results of the statistical tests are at all reliable. Cheers PortSwigger On 12 Aug 2010, at 01:36, M.D.Mufambisi wrote:Hi, I have been analysing session IDs generated by a test site (for security practice) using burp. Burp reports that the randomnes of the sessionids is extremely poor. having a look at the session Ids, i can tell the first 50 or so bytes are about the same on all sessionIDs. And the other 10 appear to change. I bet burp got to this conclusion based on the first 50 bytes or so. Suppose the developer came and said yes, the first 50bytes are based on a calculation by date (hence they are all teh same) but the last 10 bytes are extremely random...how would i be able to confirm or deny this? I will paste a couple of the sessionIds here and I would be most grateful if I got ideas of what the changing bytes could be. Ultimately i want to see if i will be able to predict sessionIDs. May i also kindly have suggestions of software that i can use to find solutions to the above or to analyse sessionIds. thanks. I will paste a sample of the session Ids here for your perusal. tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+9vjLLL9unOPaw= ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Regards, Munyaradzi D. Mufambisi, CISA, CISM, CISSP ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis PortSwigger (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Michal Zalewski (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Steve Pinkham (Aug 12)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
- Re: Session ID Analysis Steve Pinkham (Aug 16)