Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: ColdFusion - CFID & CFTOKEN

Re: ColdFusion - CFID & CFTOKEN

From: Rogan Dawes <lists_at_dawes.za.net>
Date: Thu, 14 Apr 2005 08:35:35 +0200

Jason binger wrote:

>I am currently doing some work with CF MX 6.1 and was
>wondering if anyone had some information on the
>strength of the CF cookie implementation.
>
>How random the token generation is? How is the
>generation performed?
>What is the range of the generated tokens?
>Has an independent security analysis been performed
>and commented on in a public paper?
>
>I have not seen any vendor supplied information on
>this.
>
>Cheers,
>Jason
>
>
>
Sample a number of userids with WebScarab, allow it to perform the
calculations and graph it. Any non-randomness will show up immediately
as a visual indicator.

Note, if the sessionid is something like MD5(time), the sessionid will
appear random to external analysis, but someone with knowledge of the
implementation would still be in a position to brute force session ids.

Regards,

Rogan
Received on Apr 14 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]