Vulnerability Development mailing list archives
RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Thu, 30 Aug 2001 15:37:01 -0400 (EDT)
On Thu, 30 Aug 2001, Norman Cook wrote:
This is an Automatic process for ID generation that I rather random ... so theoretically (as MS always likes to put it) yes, they could steal a Session ID, but you would have to guess it first, and that would be akin to attempting to hijack a TCP/IP session using a guessed TCP/IP sequence number.
... and thats hard! <smirk> http://razor.bindview.com/publish/papers/tcpseq.html http://www.cert.org/advisories/CA-2001-09.html if you (the original author) really want to beef this up, i suggest doing a large scale statistical analysis of the session IDs and cookies, illustrate some predictive properties (ie if its using gettimeofday(), everyone's favorite seed for their PRNG), and put together some demos. you may be on to something, as it really does rely on some implicit trust that the session values are generated randomly. predictive cookie values are nothing new. :) hope this helps, ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Current thread:
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Norman Cook (Aug 30)
- RE: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Jose Nazario (Aug 30)
- Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others) Kevin Fu (Aug 30)