Re: Session ID Analysis

[Steve Pinkham <steve.pinkham () gmail com>]

Be cautious with webscarab's session analysis: In my opinion it is worse
then useless. It gives you an idea you're doing a good test when you're not.
Both Stompy and burp use high quality statistical randomness tests,
which are much more telling about potential problems then a pretty
graph.  If you can't read the output of either one of those tools and
interpret it, you're not qualified to test for randomness.


On 08/12/2010 11:51 PM, Shankar Arjunan wrote:
> Hi,
>
> Did you try WebScarab?  Webscarab can help you on Session ID as well.
>
> Thanks/Shankar

-- 
 | Steven Pinkham, Security Researcher    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------