Full Disclosure mailing list archives

Re: stompy the session stomper - tool availability

From: Rogan Dawes <lists () dawes za net>
Date: Sun, 28 Jan 2007 09:01:13 +0200

Michal Zalewski wrote:

Hi all,

I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms. Session IDs are commonly used to track
authenticated users, and as such, whenever they're predictable or simply
vulnerable to brute-force attacks, we do have a problem.

[snip]

Yet, while there are several nice GUI-based tools designed to analyze HTTP
cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher,

Just wanted to point out that Dave has had nothing to do with WebScarab 
(and that I recognise that WebScarab's analysis is pretty trivial). 
Would you have any objection to me including/porting Stompy's analysis 
portion into WebScarab, to make it more accessible to folk?

Regards,

Rogan Dawes
WebScarab author

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

stompy the session stomper - tool availability Michal Zalewski (Jan 27)
- Re: stompy the session stomper - tool availability Simon Smith (Jan 27)
- Re: stompy the session stomper - tool availability Rogan Dawes (Jan 28)
  - Re: stompy the session stomper - tool availability Michal Zalewski (Jan 28)
- Re: stompy the session stomper - tool availability Michal Zalewski (Jan 31)