WebApp Sec mailing list archives
RE: Paros v3.0.1 for web application security assessment
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 16 Sep 2003 09:13:20 +0200
I mailed a description of what I do in these situations to the list a few months back, along with the actual perl scripts that implements the technique. Also, Exodus (http://home.intekom.co.za/rdawes/exodus.html) has the ability to collect and convert sessionids using this technique. Unfortunately, at this point, it does not graph them for you, but you should be able to write out the values that you calculate and pass them to gnuplot, or your favourite graphing program. Please see http://www.pantek.com/library/general/lists/securityfocus.com/webappsec/msg0 0552.html for the original posting, and the files that I sent to the list. Rogan
-----Original Message----- From: Sakaba [mailto:Sakaba () alexandria cc] Sent: 15 September 2003 02:57 PM To: webappsec () securityfocus com Subject: RE: Paros v3.0.1 for web application security assessment Hi guys, As part of my latest escapades I'm pen testing a web app. This isn't the usual scan and be done with it kind of pen test. I am doing an indepth analysis of everything that passes to and from the client and server. Indexing all variables to understand their usuage and I will proceed to run overflow and sql injection tests on them. Thats the easy part. The hard part is the sessionID. I'd love to understand how they create their sessionID. If I could guess live sessionIDs I could possibly hijack a session and obviously this would be pretty impressive to the client. The sessionID reaks of being a hash of something. Not any one variable that I've seen via MD5 or Sha-1 or 64encoding but probably some combo of things or possibly ASP sessionID hashed. I was just wondering from the group. What techniques do you do when you get a hashed sessionID to figure out: what kind of hash it is and what it is that was hashed. What kind of sessionIDs do you usually encounter in the field? Any thoughts. Thanks, sakaba
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer")
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- Paros v3.0.1 for web application security assessment contact (Sep 15)
- RE: Paros v3.0.1 for web application security assessment Sakaba (Sep 15)
- website and privacy n30 (Sep 16)
- Re: website and privacy Tim Greer (Sep 16)
- website and privacy n30 (Sep 16)
- <Possible follow-ups>
- RE: Paros v3.0.1 for web application security assessment Dawes, Rogan (ZA - Johannesburg) (Sep 16)
- RE: Paros v3.0.1 for web application security assessment Sakaba (Sep 15)