Penetration Testing mailing list archives

Re: SessionId Prediction - Classic ASP - Tool?

From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Sat, 23 Feb 2008 12:52:09 +0100

Hi Jay,

Il giorno ven, 22/02/2008 alle 11.36 -0500, Jay ha scritto:

How is it known that 706616434  equates to ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?


have a look at http://www.cgisecurity.com/lib/SessionIDs.pdf
"..
IIS ASP SessionID
Session ID values are 32-bit long integers.
Each time the Web server is restarted, a random session ID starting
value is selected.
For each new ASP session that is created, the session ID value is
incremented.
The 32-bit session ID is mixed with random data and encrypted to
generate a 16character cookie string. Later, when a cookie is received,
the session ID is decrypted from the 16-character cookie string.
The encryption key is randomly selected each time the Web server is
restarted.
.."

Cheers,
Stefano
-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

SessionId Prediction - Classic ASP - Tool? Jay (Feb 22)
- Re: SessionId Prediction - Classic ASP - Tool? Stefano Di Paola (Feb 23)
- <Possible follow-ups>
- Re: SessionId Prediction - Classic ASP - Tool? ushacker20002001 (Feb 23)
  - Re: SessionId Prediction - Classic ASP - Tool? Marcin Wielgoszewski (Feb 24)