Full Disclosure mailing list archives
Re: stompy the session stomper - tool availability
From: "Thomas L. Romanis" <TLR () portcullis-security com>
Date: Thu, 1 Feb 2007 09:52:18 -0000
IT would help if DansGuardian did stop you downloading the updated version! ; ) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michal Zalewski Sent: 31 January 2007 23:19 To: webappsec () securityfocus com Cc: bugtraq () securityfocus com; full-disclosure () lists grok org uk Subject: Re: stompy the session stomper - tool availability On Sat, 27 Jan 2007, Michal Zalewski wrote:
I'd like to announce the availability of 'stompy', a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms.
I'm genuinely surprised by the amount of (mostly positive ;-) feedback I got! Just an one-time, quick heads up: in response to numerous suggestions, I added a couple of fairly significant features to the tool that should make it capable of discovering far more - so if you downloaded it several days ago, you might want to update your copy: - It now supports SSL connections, custom-crafted requests including POSTs, and input from external sources (for evaluation of non-WWW tokens of any type), - It now uses GNU MP library to losslessly handle alphabets that do not directly map to binary (this is big), - Can run spatial correlation checks as well as temporal analysis of bitstreams in acquired samples, - The output is much more readable, some minor bugs were fixed. A much better documentation is available, as well. The tarball for version 0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz Regards (and shutting up!), /mz ------------------------------------------------------------------------ - Sponsored by: Watchfire Today's hackers exploit web applications to expose, embarrass and even steal. Firewalls and SSL may be commonplace but recent studies indicate 3 out of 4 websites remain vulnerable to attack. Watchfire's "Addressing Challenges in Application Security" whitepaper, explains what to do and provides a guideline to improving your own application security. Download this whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF ------------------------------------------------------------------------ -- ************************************************************* The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Any opinions expressed are those of the individual and do not represent the opinion of the organisation. Access to this email by persons other than the intended recipient is strictly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or other action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email is subject to the terms and conditions expressed in the applicable Portcullis Computer Security Limited terms of business. ************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: stompy the session stomper - tool availability Thomas L. Romanis (Feb 01)