Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SessionID analysis tools/methods?

From: "Meenal Mukadam" <meenal.mukadam () gmail com>
Date: Tue, 14 Oct 2008 01:41:33 +0530
Hello Lister,

In Analysis Tab (of WebScarab) the session identifiers range,
difference, min and max value is clearly denoted. But as you said
correctly it is calculated by taking the entire value. Now to solve
this problem the tabular structure format comes handy. The tabular
format makes it very easy to observe and analyse the randomness. I do
a manual inspection to get the randomness.

I have tried exporting it to analyse the data but the range poses a
big challenge in doing so.You can try exporting the sample values in
different formats to do a detailed analysis. But my experience tell me
nothing beats the manual inspection....


Regards,

Meenal A. Mukadam
(CEH, MBA Informations Systems & Security)





On Mon, Oct 13, 2008 at 9:32 PM, <lister () lihim org> wrote:


In Webscarab, I notice that the entire item is compared as a whole,
how do I break the JSESSION into pieces, or determine which of the
entire string is random (ie. if the JSESSION uses 0000 at the beginning
how do I find out which parts of the entire string are static, or not
as random?

I've seen some people use the SESSIONID to store information about the app
(ie. append, pre-pend information with the randomness somewhere in-between)

I'd be interested in any other tools (gui or non-gui) to analyse randomness
of SessionIDs.

On a more theoretical level, what mathematical/statistical tests should be
conducted against the data.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------





--
Meenal A. Mukadam

-------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: