WebApp Sec mailing list archives
Re: ColdFusion - CFID & CFTOKEN
From: Rogan Dawes <lists () dawes za net>
Date: Thu, 14 Apr 2005 08:35:35 +0200
Jason binger wrote:
Sample a number of userids with WebScarab, allow it to perform the calculations and graph it. Any non-randomness will show up immediately as a visual indicator.I am currently doing some work with CF MX 6.1 and was wondering if anyone had some information on the strength of the CF cookie implementation. How random the token generation is? How is the generation performed?What is the range of the generated tokens? Has an independent security analysis been performedand commented on in a public paper? I have not seen any vendor supplied information on this. Cheers, Jason
Note, if the sessionid is something like MD5(time), the sessionid will appear random to external analysis, but someone with knowledge of the implementation would still be in a position to brute force session ids.
Regards, Rogan
Current thread:
- ColdFusion - CFID & CFTOKEN Jason binger (Apr 13)
- RE: ColdFusion - CFID & CFTOKEN Andrew van der Stock (Apr 13)
- Re: ColdFusion - CFID & CFTOKEN Rogan Dawes (Apr 14)
- Re: ColdFusion - CFID & CFTOKEN Amit Klein (AKsecurity) (Apr 18)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN ron thigpen (May 11)
- Re: ColdFusion - CFID & CFTOKEN leighm (May 15)