WebApp Sec mailing list archives
New Free Tool - Foundstone CookieDigger
From: "Curphey, Mark" <mark.curphey () foundstone com>
Date: Fri, 13 May 2005 10:57:49 -0700
We are pleased to release another free tool for your pleasure.... For the Impatient Download Binaries - http://www.foundstone.com/resources/termsofuse.htm?file=cookiedigger.zip Download User Guide - http://www.foundstone.com/resources/downloads/Foundstone_CookieDigger_Wh itepaper.pdf For the Less Impatient CookieDigger, designed by Foundstone, is a free tool to help identify weak cookie generation and usage by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tools functionality can be divided into 3 broad categories. 1. Cookie Collection 2. Cookie Analyses 3. Results Average Length of the Cookie: If the average cookie length of the cookie that is used as an authenticator is small then it would take fewer brute force attempts to hijack another users session. On a popular site we can assume many users to be logged in at the same time, therefore the chances of a successful brute force attempt is high. Character Set of the Cookie: The character set employed in the generation of cookie value plays an important role in the determining the strength of the authenticator. For any given cookie length, a large character set increases the strength of the authenticator exponentially. If the attacker can determine the character set employed by the application, the brute force attempts can be crafted more efficiently. The combination of the length of the cookie and the character set used determines the strength of the authenticator. Critical Information: The tool checks the cookie values set by the application to see if any of the cookies contains the usernames or password values in it. The check is performed on both the plain text value of the cookie and on the base64 decoded value of the cookie. Other common useful information passed in the cookie values are account numbers, names, privilege levels, etc. Entropy of the Cookies: The tool compares the different values of the cookie values to check how many characters are changing for every subsequent login. If the cookie value remains the same on subsequent logins, it shows that the algorithm used for generating the cookies is vulnerable to chosen plain text attacks. Furthermore, if the cookie values remain the same on subsequent logins it gives the attacker longer periods of time to perform the brute forces attempts. More and lots of screen shots in the whitepaper Mark Curphey http://www.foundstone.com
Current thread:
- New Free Tool - Foundstone CookieDigger Curphey, Mark (May 15)