From: Jay (jay.tomas@infosecguru.com)
Date: Fri Feb 22 2008 - 11:36:11 EST
Have read several articles on classic .asp that its possible to predict session id. Has anyone had any practical experience with this or know of a tool that can assist with this?
>From an article,
"The session ID is a read-only value that uniquely identifies the current clients to the Web server. In classic ASP, session IDs are assigned in a sequential manner?the session ID 706616433 is followed by the session ID 706616434, and so on. The classic ASP session ID is stored on the client?s machine in the form of an encrypted nonpersistent cookie. For example, the session ID 706616434 would be stored on the client machine as the cookie ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE." - Edmond Woychowsky
How is it known that 706616434 equates to ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?
Any advice or tool suggestions would be appreciated.
Jay
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:25 EDT