RE: XSS and URL Encoded Session IDs

["The Crocodile" <tcroc () cow pasture com>]

How random is the entropy on the SessionIDs?  If it can be easily (or at
least semi easily) predicted you have your answer.  Try harvesting as
many IDs as you can and see if you can find any patterns.  Once you have
a pattern discovered write a script that keeps taking ID's.. once you
see one of the IDs skipped you know that it was taken by someone else.

Not the end all be all of ways to do it but it is something to think
about.

--The Crocodile

-----Original Message-----
From: B F [mailto:zaphod_b71 () hotmail com] 
Sent: Monday, December 16, 2002 3:19 PM
To: webappsec () securityfocus com
Subject: XSS and URL Encoded Session IDs

Hi List,

recently I did my first "real" WebApp Audit, so I´m quite
new to this topic. The application in case has lot´s of
XSS Vulnerabilities, but they are only accessible if you
already know the SessionID of a specific user. Example

https://somesite.com/bad.asp?SID=4243434234234234?ID=<xss string of
choice>

As you may have noticed the site is only accessible via HTTPS.
So how to craft an URL which will trigger the XSS ? Don´t
I have to know the SessionID first?

The only thing I can think of is to exploit a client side vuln.
to get the SID.

Any better ideas?

BF






_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus