Penetration Testing mailing list archives
Re: Web site testing
From: Josh Tolley <josh () raintreeinc com>
Date: Fri, 23 Apr 2004 10:00:57 -0700
Jerry Shenk wrote:
I've got a web site that I'm pretty sure has some holes and I've reported the problems I've seen but the developer doesn't seem to be getting things fixed...seems that they need a little more evidence toprove that there's a problem and I'm supposed to find that.
RE session ID predictability, the problem is that all the web server can know about a session is stored in a database connected with a session ID, and each page request must provide that session ID. There's really very little you can do to prove that one computer requesting a page and providing a session ID is the same computer that logged in and was given that session ID. You can check browser headers and source IP, but that gives very little security. So if you know someone with the username hackme is logged in, and you know the time is 1000 seconds since midnight, you know his session ID is hackme1000. So since you have spent some time getting to know the server, you know that all his juicy details are on juicy.asp, and you request http://server/juicy.asp?session=hackme1000 or something similar, and it gives everything to you. It might take more than that in practice to actually get it to happen, but that's a start at proving why predictable session IDs are bad. If they weren't predictable, you'd have to sniff traffic, or see his URL (unless the session IDs are passed in cookies, in which case this wouldn't work), or something to know the session ID, making it much more difficult.
-- Josh Tolley Raintree Systems, Inc. http://www.raintreeinc.com 760 509 9000 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Paul Johnston (Apr 22)
- Web site testing Jerry Shenk (Apr 23)
- Re: Web site testing Josh Tolley (Apr 23)
- Re: Web site testing Dan Goldberg (Apr 23)
- RE: Web site testing Jerry Shenk (Apr 23)
- RE: Web site testing Clement Dupuis (Apr 26)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Anders Thulin (Apr 27)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket James Davis (Apr 30)
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Renaud Deraison (Apr 30)
- <Possible follow-ups>
- Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Don Parker (Apr 23)
- RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket Brass, Phil (ISS Atlanta) (Apr 26)
(Thread continues...)
- Web site testing Jerry Shenk (Apr 23)