Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

SessionId Prediction - Classic ASP - Tool?

From: "Jay" <jay.tomas () infosecguru com>
Date: Fri, 22 Feb 2008 11:36:11 -0500
Have read several articles on classic .asp that its possible to predict session id. Has anyone had any practical 
experience with this or know of a tool that can assist with this?


From an article,


"The session ID is a read-only value that uniquely identifies the current clients to the Web server. In classic ASP, 
session IDs are assigned in a sequential manner?the session ID 706616433 is followed by the session ID 706616434, and 
so on. The classic ASP session ID is stored on the client?s machine in the form of an encrypted nonpersistent cookie. 
For example, the session ID 706616434 would be stored on the client machine as the cookie 
ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE." - Edmond Woychowsky

How is it known that 706616434  equates to ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?

Any advice or tool suggestions would be appreciated.

Jay



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: