Home page logo

pauldotcom logo PaulDotCom mailing list archives

Finding the common thread...
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Mon, 15 Jun 2009 13:32:57 +0100

You might want to do some statistical analysis on the values for the session
ID. One crude way is to plot session ID over time to see if the value always
ascends and look for other patterns. WebScarab will do this for you while
you run the crawler over a page that sets the session ID.


5-10 characters does seem very short for a session ID and possible within
the realms of brute-force attacks if you can reduce the keyspace you need to
search. Can you give an example of what the session IDs looks like?


2009/6/15 <christopher.riley at r-it.at>

As part of some research I'm doing I've started looking at the method used
to create session keys within a custom coded program. As I don't have access
to the source-code (and never likely will) I've been doing my best to figure
out the process from the information I have to hand.

Due to the fact that the session ID's created can never repeat (all
sessions are logged to a SQL database using the session ID as the Primary
Key, duplicates therefore cause a database error) it seems very possible
that the session ID's are created based on a mathematical formular using the
timestamp as input. By mixing multiple inputs (such as
username/password/system name etc...) the program runs the risk of creating
a SessionID that already exists.

This is were my problem starts. In order to prove the theory, I need to
find how the timestamp is manipulated to create the SessionID. I have access
to the logfile containing 35,000+ valid sessionID's and the timestamp of the
logon. Given these two linked piece of information, what can be done (in a
automated or semi-automated fashion) to find any common threads between
these values ?

Additional Info .:

The timestamp is a standard unix timestamp. The web-application is C based
(CGI), and the resulting SessionID's vary between 5 and 10 characters in
length (there is no visual pattern between the length and the timestamp).

Any ideas ?

Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR
0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen
duerfen ueber dieses Medium nicht ausgetauscht werden.
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.

Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090615/cf3fcaff/attachment.htm 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]