Penetration Testing mailing list archives

SessionID analysis tools/methods?

From: lister () lihim org
Date: Mon, 13 Oct 2008 11:02:13 -0500

In Webscarab, I notice that the entire item is compared as a whole,
how do I break the JSESSION into pieces, or determine which of the
entire string is random (ie. if the JSESSION uses 0000 at the beginning
how do I find out which parts of the entire string are static, or not
as random?

I've seen some people use the SESSIONID to store information about the app
(ie. append, pre-pend information with the randomness somewhere in-between)

I'd be interested in any other tools (gui or non-gui) to analyse randomness
of SessionIDs.

On a more theoretical level, what mathematical/statistical tests should be
conducted against the data.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

SessionID analysis tools/methods? lister (Oct 13)
- Re: SessionID analysis tools/methods? Ahmet Ozturk (Oct 13)
- Re: SessionID analysis tools/methods? Meenal Mukadam (Oct 13)
- Re: SessionID analysis tools/methods? security curmudgeon (Oct 13)
- Re: SessionID analysis tools/methods? rajat swarup (Oct 14)