Re: Web site testing

From: Josh Tolley (josh@raintreeinc.com)
Date: Fri Apr 23 2004 - 13:00:57 EDT

• Next message: Jerry Shenk: "RE: Web site testing"
• Previous message: James Williams: "RE: Bank Assessment"
• In reply to: Jerry Shenk: "Web site testing"
• Next in thread: Jerry Shenk: "RE: Web site testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jerry Shenk wrote:

> I've got a web site that I'm pretty sure has some holes and I've
> reported the problems I've seen but the developer doesn't seem to be
> getting things fixed...seems that they need a little more evidence to
> prove that there's a problem and I'm supposed to find that.
>

RE session ID predictability, the problem is that all the web server can
know about a session is stored in a database connected with a session
ID, and each page request must provide that session ID. There's really
very little you can do to prove that one computer requesting a page and
providing a session ID is the same computer that logged in and was given
that session ID. You can check browser headers and source IP, but that
gives very little security. So if you know someone with the username
hackme is logged in, and you know the time is 1000 seconds since
midnight, you know his session ID is hackme1000. So since you have spent
some time getting to know the server, you know that all his juicy
details are on juicy.asp, and you request
http://server/juicy.asp?session=hackme1000 or something similar, and it
gives everything to you. It might take more than that in practice to
actually get it to happen, but that's a start at proving why predictable
session IDs are bad. If they weren't predictable, you'd have to sniff
traffic, or see his URL (unless the session IDs are passed in cookies,
in which case this wouldn't work), or something to know the session ID,
making it much more difficult.

-- 
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
760 509 9000
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Jerry Shenk: "RE: Web site testing"
• Previous message: James Williams: "RE: Bank Assessment"
• In reply to: Jerry Shenk: "Web site testing"
• Next in thread: Jerry Shenk: "RE: Web site testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT