WebApp Sec mailing list archives
Re: stompy the session stomper - tool availability
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Thu, 1 Feb 2007 00:18:35 +0100 (CET)
On Sat, 27 Jan 2007, Michal Zalewski wrote:
I'd like to announce the availability of 'stompy', a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms.
I'm genuinely surprised by the amount of (mostly positive ;-) feedback I got! Just an one-time, quick heads up: in response to numerous suggestions, I added a couple of fairly significant features to the tool that should make it capable of discovering far more - so if you downloaded it several days ago, you might want to update your copy: - It now supports SSL connections, custom-crafted requests including POSTs, and input from external sources (for evaluation of non-WWW tokens of any type), - It now uses GNU MP library to losslessly handle alphabets that do not directly map to binary (this is big), - Can run spatial correlation checks as well as temporal analysis of bitstreams in acquired samples, - The output is much more readable, some minor bugs were fixed. A much better documentation is available, as well. The tarball for version 0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz Regards (and shutting up!), /mz ------------------------------------------------------------------------- Sponsored by: Watchfire Today's hackers exploit web applications to expose, embarrass and even steal. Firewalls and SSL may be commonplace but recent studies indicate 3 out of 4 websites remain vulnerable to attack. Watchfire's "Addressing Challenges in Application Security" whitepaper, explains what to do and provides a guideline to improving your own application security. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF --------------------------------------------------------------------------
Current thread:
- stompy the session stomper - tool availability Michal Zalewski (Jan 27)
- Re: stompy the session stomper - tool availability Rogan Dawes (Jan 28)
- Re: stompy the session stomper - tool availability Michal Zalewski (Jan 28)
- Re: stompy the session stomper - tool availability Michal Zalewski (Jan 31)
- <Possible follow-ups>
- RE: stompy the session stomper - tool availability Thomas L. Romanis (Feb 01)
- Re: stompy the session stomper - tool availability Rogan Dawes (Jan 28)