Security Basics mailing list archives

Re: Session ID Analysis

From: PortSwigger <mail () portswigger net>
Date: Thu, 12 Aug 2010 20:41:32 +0100

Burp isn't basing its conclusion on the first 50 bytes which are invariant. It analyses the whole token, and bases its 
conclusion on the number of bits which pass the statistical tests for randomness. Read the help file for Burp Sequencer 
to understand exactly how it works.

Even if a token contains a lot of invariant material, it can still exhibit strong entropy if there enough other bits 
which are sufficiently random. But you can't tell whether variant parts of a token are random just by looking - you 
need to run proper tests or, better, look at the source code for the algorithm.

In this instance, the application is serving duplicated successive tokens to you, which will be affecting Burp's 
analysis. You need to gather samples from two locations simultaneously and first check whether the same token is ever 
issued to two different users. If so, this is a serious defect in itself. If not, then you should strip the duplicated 
successive tokens from your sample, and reload it into Sequencer to reanalyse:

cat sessids.txt | uniq > sessids2.txt

One other point: while Burp will let you run its analysis on a small sample, you should gather several thousand tokens 
to ensure the results of the statistical tests are at all reliable.

Cheers
PortSwigger


On 12 Aug 2010, at 01:36, M.D.Mufambisi wrote:

Hi,

I have been analysing session IDs generated by a test site (for
security practice) using burp. Burp reports that the randomnes of the
sessionids is extremely poor. having a look at the session Ids, i can
tell the first 50 or so bytes are about the same on all sessionIDs.
And the other 10 appear to change. I bet burp got to this conclusion
based on the first 50 bytes or so. Suppose the developer came and said
yes, the first 50bytes are based on a calculation by date (hence they
are all teh same) but the last 10 bytes are extremely random...how
would i be able to confirm or deny this? I will paste a couple of the
sessionIds here and I would be most grateful if I got ideas of what
the changing bytes could be. Ultimately i want to see if i will be
able to predict sessionIDs.

May i also kindly have suggestions of software that i can use to find
solutions to the above or to analyse sessionIds. thanks. I will paste
a sample of the session Ids here for your perusal.

tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM=
tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+9vjLLL9unOPaw=

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis John Morrison (Aug 12)
  - Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis PortSwigger (Aug 12)
  - Re: Session ID Analysis M.D.Mufambisi (Aug 12)
    - Re: Session ID Analysis Michal Zalewski (Aug 13)
    - Re: Session ID Analysis Luis MartinGarcia. (Aug 16)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
  - Message not available
    - White paper on Malware Analysis Sachin Chadha (Aug 23)