Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: IIS 5 cookie encryption password

Re: IIS 5 cookie encryption password

From: Serguey Forcade <sergueyf_at_gmail.com>
Date: Tue, 3 Apr 2007 12:32:58 -0400

Thanks, but I based my assumptions on an article from Microsoft
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c06_asp_session_id_and_session_security.mspx?mfr=true)

Even tho your statement makes sense. It's just that I haven't been
able to find more info about the relationship between the session ID
and the cookie.

On 4/3/07, Rogan Dawes <discard_at_dawes.za.net> wrote:
> Serguey Forcade wrote:
> > Hi, I'd like to know if anyone knows of a paper that explains how to
> > extract the encryption password IIS creates when it starts up, and
> > uses to encrypt the session ID + random data in order to generate the
> > cookie value the users receives.
> >
> > I'm interested in IIS 5.0.
> >
> > Thanks.
> >
>
> Take this with a pinch of salt, but I don't think that the session
> identifier and the cookie value are directly related.
>
> One reason for this statement is that if you abandon the session (using
> ASP), and create a new one, the cookie value does not change. However,
> the result of "Session.SessionID" DOES change.
>
> I suspect that the cookie value is generated using a combination of some
> static/sequential info, and some random data, and then associated with
> the next available (i.e sequential integer) SessionID. When the session
> is abandoned, the session object associated with that integer SessionID
> is discarded. A subsequent request from the client containing the old
> Session Cookie value will then automatically be associated with the next
> available sequential integer SessionID.
>
> Hope this helps.
>
> Rogan
>
> P.S. One consequence of this inability to change the cookie value
> through abandoning the session is that ASP apps are AUTOMATICALLY
> vulnerable to Session Fixation
> <http://www.owasp.org/index.php/Session_Fixation>. An approach to
> protecting ASP apps against session fixation is shown here
> <http://www.owasp.org/index.php/Session_Fixation_Protection>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

It's been reported that 75% of websites are vulnerable to attack. That's
because hackers know to exploit weaknesses in web applications.
Traditional approaches to securing these assets no longer apply. Download
the "Addressing Challenges in Application Security" whitepaper today,
and see for yourself.

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
--------------------------------------------------------------------------
Received on Apr 05 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos