Security Basics mailing list archives
Re: Session ID Analysis
From: "Luis MartinGarcia." <luis.mgarc () gmail com>
Date: Sat, 14 Aug 2010 14:22:52 +0200
On 08/12/2010 11:30 PM, Michal Zalewski wrote:
thanks portswigger. I will do that. All im looking for is a scientific way of indeed proving the non randomness of the token and if possible even predict next tokens.
I'm certainly not an expert on this but I think that even if the data pass all randomness tests, it still it may offer poor security. Imagine that what it looks like the random bits of your IDs are simply the output of MD5(time+source_IP). The output of the MD5 will look very random for your tests, but still anyone that figures out the algorithm will be able to break the IDs. Having access to the source code would help a lot. Luis. PS: Also, one suggestion, not sure about this but probably it would be better to perform your tests against the base64 decoded version of your IDs, or at least get rid of the last '=" padding character. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis John Morrison (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis PortSwigger (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Michal Zalewski (Aug 13)
- Re: Session ID Analysis Luis MartinGarcia. (Aug 16)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis John Morrison (Aug 12)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
- Message not available
- White paper on Malware Analysis Sachin Chadha (Aug 23)
- Message not available