Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SessionId Prediction - Classic ASP - Tool?

from [Stefano Di Paola] Network Security [Permanent Link]
Subject: Re: SessionId Prediction - Classic ASP - Tool?
Date: Sat, 23 Feb 2008 12:52:09 +0100 
Hi Jay,

Il giorno ven, 22/02/2008 alle 11.36 -0500, Jay ha scritto:

How is it known that 706616434  equates to 
ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?


have a look at http://www.cgisecurity.com/lib/SessionIDs.pdf
"..
IIS ASP SessionID
Session ID values are 32-bit long integers.
Each time the Web server is restarted, a random session ID starting
value is selected.
For each new ASP session that is created, the session ID value is
incremented.
The 32-bit session ID is mixed with random data and encrypted to
generate a 16character cookie string. Later, when a cookie is received,
the session ID is decrypted from the 16-character cookie string.
The encryption key is randomly selected each time the Web server is
restarted.
.."

Cheers,
Stefano
-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Split Kismet log file, Stephen Hall
Next by Date:  Re: Split Kismet log file, Glenn Forbes Fleming Larratt
Previous by Thread:  SessionId Prediction - Classic ASP - Tool?, Jay
Next by Thread:  Re: SessionId Prediction - Classic ASP - Tool?, ushacker20002001
Indexes:  [Date] [Thread] [Top] [All Lists]