Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: ColdFusion - CFID & CFTOKEN
From: Rogan Dawes <lists () dawes za net>
Date: Thu, 14 Apr 2005 08:35:35 +0200
Jason binger wrote:


I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.

How random the token generation is? How is the
generation performed?
What is the range of the generated tokens? Has an independent security analysis been performed 
and commented on in a public paper?

I have not seen any vendor supplied information on
this.

Cheers,
Jason
Sample a number of userids with WebScarab, allow it to perform the calculations and graph it. Any non-randomness will show up immediately as a visual indicator.
Note, if the sessionid is something like MD5(time), the sessionid will appear random to external analysis, but someone with knowledge of the implementation would still be in a position to brute force session ids. 

Regards,

Rogan

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]