Penetration Testing mailing list archives
Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad
From: Chris Keladis <Chris.Keladis () CMC CWO NET AU>
Date: Mon, 18 Dec 2000 22:20:39 -0500
Hi Anthony, Yes i am very curious to understand this better myself. More specifically, i am interested in understanding the SITESERVER cookies (IIS?) sets. It seems almost all major sites use them, and there have been published vulnerabilities against them, but i would like to understand if the jargon in the cookie has some meaning, or is it just a garbled string to essentially "maintain state" ? One (insecure) way some sites encrypt their cookies is using base64 encoding of the information, others use XOR, MD5 and other kinds of encryptions, or "bit-shifts". You need to firstly look at the encoded cipher, see if you can identify a common format, if that fails perhaps a brute force of most major formats. Failing that, a more analytical analysis may be necessary. Cheers, Chris. At 04:44 PM 12/18/00 -0500, Ruso, Anthony wrote:
Hi All, What are common methods used in decrypting/encrypting cookies. Would many of you trust the use of cookies to store - lets say - passwords and personal information. I'm trying to extract passwords from a clients website through the use of cookies. They used to store website passwords in clear text. I managed to convince them to encrypt them but how can I test their encryption choice and methods. My crypt-analysis experience is very basic. Any feedback would be greatly appreciated. Thanks
Chris Keladis System/Security Administrator Custom Management Centre Cable & Wireless Optus. Phone: (02) 9775-5312 Mobile: (0402) 067-375 E-Mail: Chris.Keladis () cmc cwo net au
Current thread:
- [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ruso, Anthony (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Mark Curphey (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ryan Russell (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Thomas Reinke (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Chris Keladis (Dec 18)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Fricke, Gregory D. (Dec 19)
- Re: [PEN-TEST] IE Cookie Crypt-Analysis - Good or Bad Ng, Kenneth (US) (Dec 19)