Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Strange cookies

from [Marco Ivaldi] Network Security [Permanent Link]
Subject: Re: Strange cookies
Date: Thu, 24 Apr 2008 10:16:08 +0200 (ora solare Europa occidentale) 
Dirk,

On Wed, 23 Apr 2008, Dirk Reimers wrote:

Hi all, 

[snip]

Does anybody of you guys have some experiences in testing the randomness of cookies? Maybe any tools like n-gram analysis that work with a bounch of numbers? 

You may want to try these free tools:

http://portswigger.net/sequencer/
http://lcamtuf.coredump.cx/stompy.tgz
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

Futhermore, most commercial web application testing suites also include their own tool for analyzing the degree of randomness in session tokens, AFAIK.

Some other useful resources on this subject:

http://blog.portswigger.net/2007/10/introducing-burp-sequencer.html
http://seclists.org/bugtraq/2007/Jan/0626.html
http://www.owasp.org/index.php/Testing_for_Session_Management_Schema
http://www.xs4all.nl/~scusi/SessionID-release/www/index.html
https://addons.mozilla.org/it/firefox/addon/573

Hope this helps. Cheers,

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Secure Code review for JAVA applications, pentestr
Next by Date:  Re: Social Engineering Pentest, Marco Ivaldi
Previous by Thread:  Strange cookies, Dirk Reimers
Next by Thread:  Secure Code review for JAVA applications, pentestr
Indexes:  [Date] [Thread] [Top] [All Lists]