RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

[Jose Nazario <jose () biocserver BIOC cwru edu>]

On Thu, 30 Aug 2001, Norman Cook wrote:

> This is an Automatic process for ID generation that I rather random
> ... so theoretically (as MS always likes to put it) yes, they could
> steal a Session ID, but you would have to guess it first, and that
> would be akin to attempting to hijack a TCP/IP session using a guessed
> TCP/IP sequence number.

... and thats hard! <smirk>

http://razor.bindview.com/publish/papers/tcpseq.html
http://www.cert.org/advisories/CA-2001-09.html

if you (the original author) really want to beef this up, i suggest doing
a large scale statistical analysis of the session IDs and cookies,
illustrate some predictive properties (ie if its using gettimeofday(),
everyone's favorite seed for their PRNG), and put together some demos. you
may be on to something, as it really does rely on some implicit trust that
the session values are generated randomly.

predictive cookie values are nothing new. :)

hope this helps,

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)