RE: Paros v3.0.1 for web application security assessment

["Sakaba" <Sakaba () alexandria cc>]

Hi guys,

As part of my latest escapades I'm pen testing a web app.  This isn't the
usual scan and be done with it kind of pen test.  I am doing an indepth
analysis of everything that passes to and from the client and server.
Indexing all variables to understand their usuage and I will proceed to run
overflow and sql injection tests on them.  Thats the easy part.

The hard part is the sessionID.  I'd love to understand how they create
their sessionID.  If I could guess live sessionIDs I could possibly hijack
a session and obviously this would be pretty impressive to the client.  The
sessionID reaks of being a hash of something.  Not any one variable that
I've seen via MD5 or Sha-1 or 64encoding but probably some combo of things
or possibly ASP sessionID hashed.  I was just wondering from the group.
What techniques do you do when you get a hashed sessionID to figure out:
what kind of hash it is and what it is that was hashed.  What kind of
sessionIDs do you usually encounter in the field?

Any thoughts.
Thanks,
sakaba