Penetration Testing mailing list archives
Session ID Analysis
From: "M.D.Mufambisi" <mufambisi () gmail com>
Date: Thu, 12 Aug 2010 10:36:31 +1000
Hi, I have been analysing session IDs generated by a test site (for security practice) using burp. Burp reports that the randomnes of the sessionids is extremely poor. having a look at the session Ids, i can tell the first 50 or so bytes are about the same on all sessionIDs. And the other 10 appear to change. I bet burp got to this conclusion based on the first 50 bytes or so. Suppose the developer came and said yes, the first 50bytes are based on a calculation by date (hence they are all teh same) but the last 10 bytes are extremely random...how would i be able to confirm or deny this? I will paste a couple of the sessionIds here and I would be most grateful if I got ideas of what the changing bytes could be. Ultimately i want to see if i will be able to predict sessionIDs. May i also kindly have suggestions of software that i can use to find solutions to the above or to analyse sessionIds. thanks. I will paste a sample of the session Ids here for your perusal. tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdexuhbbM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcO5qjLLF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdu9rhLHK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tde5qhLbF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tculug7nL9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeOhpgrfM8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+lpjLPL9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdelvhLbM/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tc+ttgLHE9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcOpphLPK/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tdutph7jP/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdepohrfL9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TcuVsjbbI8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TeORvjLXL/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Td+VshLDI/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+TdeVthrTE8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37D1DSfcgLqokBpnTBSEX+F+Tcu1jg7jJ/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdeRsgLfI8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOVsgrLN9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduRvjbHI8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tdu5qhrDO9unOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexjhrnJ8OjHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1jgLTO9+fGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5qgrjJ/ebEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+hphLLP9+zDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdO5igrTN/e/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tc+9ijLDE/OrBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Tee5tjLjO9OzAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdupogbjF8+nOPaw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdelrgLbO/ejHP6s= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcOprgrLF/OfGPqw= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TeepojLnP8ObEOa0= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+RvhrPM/OzDOqI= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TdexohLnF8O/CP6M= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TcO1ohrTK9+rBMa4= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+TduxrgbPF8ezAMKM= tQ0mWP3eTWy2dsm9ZEOvRB7djuKHP8lob8S37DxKSfcgLqokBpnTBSEX+F+Td+9vjLLL9unOPaw= ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
- Re: Session ID Analysis PortSwigger (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Michal Zalewski (Aug 12)
- Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis Steve Pinkham (Aug 12)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
- Re: Session ID Analysis Steve Pinkham (Aug 16)