Re: SessionID analysis tools/methods?

["rajat swarup" <rajats () gmail com>]

On Mon, Oct 13, 2008 at 12:02 PM,  <lister () lihim org> wrote:
> In Webscarab, I notice that the entire item is compared as a whole,
> how do I break the JSESSION into pieces, or determine which of the
> entire string is random (ie. if the JSESSION uses 0000 at the beginning
> how do I find out which parts of the entire string are static, or not
> as random?
>
> I've seen some people use the SESSIONID to store information about the app
> (ie. append, pre-pend information with the randomness somewhere in-between)
>
> I'd be interested in any other tools (gui or non-gui) to analyse randomness
> of SessionIDs.
>
> On a more theoretical level, what mathematical/statistical tests should be
> conducted against the data.
Due to quirkiness of the tools I generally try to use curl and bash to
collect a bunch of session IDs.  Once you have that you could use
either excel or openoffice to create graphs to get you the patterns.

A sample script could look like this:

for i in`seq 100`
do
  sessid=`curl -d
"username=username&password=password&whatever=youneed" -k -i
https://www.example.com/login| grep -i session`
  echo $sessid
done

You could awk out the output the way you please.  Paste into xls and
goto Insert -> Chart -> Line.  Select the rows of pasted session IDs
into xls and you get a nice looking customized graph for session ID
analysis.
This works for most cases where you might need custom tools to get a
decent output.

Just my two cents,
Rajat.
-- 
Rajat Swarup

http://rajatswarup.blogspot.com/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------