Bugtraq: Re: Jetty Session ID Prediction

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Jetty Session ID Prediction

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Mon, 5 Feb 2007 20:42:14 +0100 (CET)

On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote:

Jetty generates a 64-bit session id by generating two 32-bit numbers in
this way, so we end up with an encoded 64-bit integer. By decoding the
integer and splitting it into its two component 32-bit integers, we can
easily brute-force the generator's internal state.


Why on earth would you want to brute-force it?

http://www.springerlink.com/content/9jkp3179mj6fwh6m/s
http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF

Cheers,
/mz

By Date By Thread

Current thread:

Jetty Session ID Prediction NGSSoftware Insight Security Research (Feb 05)
- Re: Jetty Session ID Prediction Amit Klein (Feb 05)
- Re: Jetty Session ID Prediction Michal Zalewski (Feb 05)
  - Re: Jetty Session ID Prediction Amit Klein (Feb 06)
    - Re: Jetty Session ID Prediction Michal Zalewski (Feb 06)
- <Possible follow-ups>
- Re: Jetty Session ID Prediction Chris Anley (Feb 06)
  - Re: Jetty Session ID Prediction Amit Klein (Feb 06)
    - Re: Jetty Session ID Prediction Chris Anley (Feb 07)