Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] stompy the session stomper - tool availability

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] stompy the session stomper - tool availability
Date: Sun, 28 Jan 2007 09:01:13 +0200 
Michal Zalewski wrote:

Hi all,

I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms. Session IDs are commonly used to track
authenticated users, and as such, whenever they're predictable or simply
vulnerable to brute-force attacks, we do have a problem.

  

[snip]

Yet, while there are several nice GUI-based tools designed to analyze HTTP
cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher,
  

Just wanted to point out that Dave has had nothing to do with WebScarab 
(and that I recognise that WebScarab's analysis is pretty trivial). 
Would you have any objection to me including/porting Stompy's analysis 
portion into WebScarab, to make it more accessible to folk?

Regards,

Rogan Dawes
WebScarab author

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] stompy the session stomper - tool availability, Michal Zalewski
Next by Date:  [Full-disclosure] [SECURITY] [DSA 1254-1] New bind9 packages fix denial of service, Moritz Muehlenhoff
Previous by Thread:  Re: [Full-disclosure] stompy the session stomper - tool availability, Simon Smith
Next by Thread:  Re: [Full-disclosure] stompy the session stomper - tool availability, Michal Zalewski
Indexes:  [Date] [Thread] [Top] [All Lists]