Penetration Testing mailing list archives

Re: Session ID Analysis

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 12 Aug 2010 14:30:01 -0700

thanks portswigger. I will do that. All im looking for is a scientific
way of indeed proving the non randomness of the token and if possible
even predict next tokens.


For a more thorough set of tests, you may want to check out an old
tool of mine, stompy:

http://lcamtuf.coredump.cx/soft/stompy.tgz

But there really is no way around simply spending some time to
understand how these tools work and what their output means in a
particular context.

/mz

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Session ID Analysis M.D.Mufambisi (Aug 12)
- Message not available
  - Re: Session ID Analysis M.D.Mufambisi (Aug 12)
- Re: Session ID Analysis PortSwigger (Aug 12)
  - Re: Session ID Analysis M.D.Mufambisi (Aug 12)
    - Re: Session ID Analysis Michal Zalewski (Aug 12)
- Re: Session ID Analysis Steve Pinkham (Aug 12)
- Re: Session ID Analysis Shankar Arjunan (Aug 13)
  - Re: Session ID Analysis Steve Pinkham (Aug 16)