ColdFusion session id analysis - help wanted

[Alla Bezroutchko <alla () scanit be>]

I've been doing a web application audit for a customer and did some
analysis of ColdFusion session cookies. While not completely predictable
from the first glance there seem to be some interesting quite non-random
patterns there. Unfortunately I don't have time to finish this, so
perhaps someone can use my results to continue this research.

The goal would be to determine how much randomness there is in 
ColdFusion session ids and if possible try to predict them.

ColdFusion uses two cookies to track sessions. One is called CFID and
the other is called CFTOKEN. CFID seems to be incremented with each
subsequent request, so it is predictable. CFTOKEN is 8 or less digit
decimal number that seems random from the first glance.

I have gathered about 50000 values of CFTOKEN durng a timespan of about
10 hours. The result was a text file with the timestamp and the value of
the cookie on each line. Then I plotted it using gnuplot.

Y axis is the value of the cookie,  x axis is the timestamp. Here is the
image:

http://www.scanit.be/cf/image1.gif

If we look closer at it here is what we see:

http://www.scanit.be/cf/image2.gif

Apparently the values are distributed along the lines which can be
described by an equation:

y = kx + bn, (1)

where x and y are the coordinates, k and b are constants and n is
integer. The number of stripes is 238 - quite a strange number.

There are quite wide stripes where there are no values at all. The
stripes are about 200000 wide with 200000 empty space in between them.
This decreases the nuber of possible cookie values by the factor of 2.

I assume that the actual cookie value is composed of two independent
random values that are concatenated. First random value determines the
stripe and the second random value determines the deviation from the
line defined by the equation above.

I calculated the values for k and b, so the equation looks like this:

y = tan(deg2rad(180-6.1806))/1000 * x + 442500*n + 138000 (2)

Here is the distribution of the cookie values along those lines:

http://www.scanit.be/cf/image3.gif

Next I tried to analyse the deviation of the actual cookie values from
equation (2). Here is a perl script I used to calculate deviations:

------------------------------------------------------------------------
#!/usr/local/bin/perl

use strict;
use Math::Trig;
use POSIX;

my ($input) = @ARGV;

if(!$input) {die "usage: diff input-file\n"};

open(DOTS, "<$input") || die "cannot open $input file for reading: $!";

my @dots = <DOTS>;
my $k = tan(deg2rad(180-6.1806))/1000;
my $b = 442500;
my $d = 138000;

for(my $i=0; $i < scalar(@dots); $i++) {
         chomp($dots[$i]);
         my($x, $y) = split(/ /, $dots[$i]);
         my $bn =  ($y - $k * $x);
         my $n = sprintf("%.0f", (($bn - $d) / $b));
         my $diff =  $n * $b + $d - $bn;
         print "$i $diff\n";

}
-------------------------------------------------------------------------

Resulting data was again plotted using gnuplot:

http://www.scanit.be/cf/image4.gif

You can see the diagonal pattern again.

Next I estimated the angle of those lines and rotated the values by this
angle, so that the lines become horizontal instead of diagonal. Then I
accidently used a different scale on x axis and here is what I got:

http://www.scanit.be/cf/image5.gif

You can see the wavy pattern. This is someting I cannot think of an
explanation for. The data was gathered during about 10 hours, so there
might be a 12 of 24 hours cycle in the values, but it still looks quite
strange. I stopped my analysis at that.

If someone is interested in this stuff, I can send my data and the
scripts I used for the analysis. It would be interesting to see if other 
installations of ColdFusion have the same patterns.

Alla.