WebApp Sec mailing list archives
Re: stompy the session stomper - tool availability
From: Rogan Dawes <lists () dawes za net>
Date: Sun, 28 Jan 2007 09:01:13 +0200
Michal Zalewski wrote:
Hi all, I'd like to announce the availability of 'stompy', a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms. Session IDs are commonly used to track authenticated users, and as such, whenever they're predictable or simply vulnerable to brute-force attacks, we do have a problem.
[snip]
Just wanted to point out that Dave has had nothing to do with WebScarab (and that I recognise that WebScarab's analysis is pretty trivial). Would you have any objection to me including/porting Stompy's analysis portion into WebScarab, to make it more accessible to folk?Yet, while there are several nice GUI-based tools designed to analyze HTTP cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher,
Regards, Rogan Dawes WebScarab author ------------------------------------------------------------------------- Sponsored by: WatchfireIt's been reported that 75% of websites are vulnerable to attack. That's because hackers know to exploit weaknesses in web applications. Traditional approaches to securing these assets no longer apply. Download the "Addressing Challenges in Application Security" whitepaper today, and see for yourself.
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF --------------------------------------------------------------------------
Current thread:
- stompy the session stomper - tool availability Michal Zalewski (Jan 27)
- Re: stompy the session stomper - tool availability Rogan Dawes (Jan 28)
- Re: stompy the session stomper - tool availability Michal Zalewski (Jan 28)
- Re: stompy the session stomper - tool availability Michal Zalewski (Jan 31)
- <Possible follow-ups>
- RE: stompy the session stomper - tool availability Thomas L. Romanis (Feb 01)
- Re: stompy the session stomper - tool availability Rogan Dawes (Jan 28)