Re: Session ID Analysis

["Luis MartinGarcia." <luis.mgarc () gmail com>]

On 08/12/2010 11:30 PM, Michal Zalewski wrote:
> > thanks portswigger. I will do that. All im looking for is a scientific
> > way of indeed proving the non randomness of the token and if possible
> > even predict next tokens.
> >     

I'm certainly not an expert on this but I think that even if the data
pass all randomness tests, it still it may offer poor security. Imagine
that what it looks like the random bits of your IDs are simply the
output of MD5(time+source_IP). The output of the MD5 will look very
random for your tests, but still anyone that figures out the algorithm
will be able to break the IDs. Having access to the source code would
help a lot.

Luis.


PS: Also, one suggestion, not sure about this but probably it would be
better to perform your tests against the base64 decoded version of your
IDs, or at least get rid of the last '=" padding character.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------