WebApp Sec mailing list archives

Re: Sequence Identification Routines?

From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Mon, 9 Dec 2002 11:00:21 -0500

Nick,

You might be interested in the paper at
http;//razor.bindview.com/publish/papers/tcpseq.html. They analyzed the
randomness of tcp sequence numbers and represented the results
graphically. Of course, this won't actually predict a value, just helps
you understand how difficult it would be to predict a value.  Generally,
this is good enough.

--Jeff

Jeff Williams, CEO
jeff.williams () aspectsecurity com
Aspect Security, Inc.
www.aspectsecurity.com



----- Original Message -----
From: Nick Jacobsen
To: webappsec () securityfocus com
Sent: Monday, December 09, 2002 3:51 AM
Subject: Sequence Identification Routines?


I was hoping one of you might have some input here...  I am black box
testing a web app that generates a 5 character (letter and number only,
lowercase) verification string, that it then emails to the email address
on
file, and then the receiver has to type it in to continue with his
registration...  now, I am looking for some sort of programming routines,
snippets, or programs, that will look at a set of say, a 1000, numbers,
and
tell me if there is any sensible pattern, off which to predict the next 5
character string in the sequence.  Any suggestions welcome!

Thanks,
Nick Jacobsen
Ethics Design
nick () ethicsdesign com

Current thread:

Sequence Identification Routines? Nick Jacobsen (Dec 09)
- Re: Sequence Identification Routines? Charlie Root (Dec 09)
- Re: Sequence Identification Routines? Jeff Williams @ Aspect (Dec 09)
- RE: Sequence Identification Routines? Tony Welsh (Dec 09)
- Re: Sequence Identification Routines? maddany (Dec 09)
- <Possible follow-ups>
- RE: Sequence Identification Routines? Dawes, Rogan (ZA - Johannesburg) (Dec 10)
- RE: Sequence Identification Routines? securityarchitect (Dec 10)