Penetration Testing mailing list archives
Re: Session ID Analysis
From: Steve Pinkham <steve.pinkham () gmail com>
Date: Fri, 13 Aug 2010 17:54:07 -0400
Be cautious with webscarab's session analysis: In my opinion it is worse then useless. It gives you an idea you're doing a good test when you're not. Both Stompy and burp use high quality statistical randomness tests, which are much more telling about potential problems then a pretty graph. If you can't read the output of either one of those tools and interpret it, you're not qualified to test for randomness. On 08/12/2010 11:51 PM, Shankar Arjunan wrote:
Hi, Did you try WebScarab? Webscarab can help you on Session ID as well. Thanks/Shankar
-- | Steven Pinkham, Security Researcher | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis PortSwigger (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Michal Zalewski (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Steve Pinkham (Aug 12)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
- Re: Session ID Analysis Steve Pinkham (Aug 16)