Network Security: Detailed info on Re: ColdFusion

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: ColdFusion - CFID & CFTOKEN

from [Rogan Dawes] Network Security

[Permanent Link]

Subject:	Re: ColdFusion - CFID & CFTOKEN
Date:	Thu, 14 Apr 2005 08:35:35 +0200

Jason binger wrote:

I am currently doing some work with CF MX 6.1 and was
wondering if anyone had some information on the
strength of the CF cookie implementation.
How random the token generation is? How is the generation performed? What is the range of the generated tokens? Has an independent security analysis been performed and commented on in a public paper?
I have not seen any vendor supplied information on
this.
Cheers,
Jason

Sample a number of userids with WebScarab, allow it to perform the calculations and graph it. Any non-randomness will show up immediately as a visual indicator.

Note, if the sessionid is something like MD5(time), the sessionid will appear random to external analysis, but someone with knowledge of the implementation would still be in a position to brute force session ids.

Regards,

Rogan

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
ColdFusion - CFID & CFTOKEN, Jason binger RE: ColdFusion - CFID & CFTOKEN, Andrew van der Stock Re: ColdFusion - CFID & CFTOKEN, Rogan Dawes <= Re: ColdFusion - CFID & CFTOKEN, Amit Klein (AKsecurity)

Previous by Date:	Re: webapp dependencies, victor calzado
Next by Date:	RE: webapp dependencies, Ory Segal
Previous by Thread:	RE: ColdFusion - CFID & CFTOKEN, Andrew van der Stock
Next by Thread:	Re: ColdFusion - CFID & CFTOKEN, Amit Klein (AKsecurity)
Indexes:	[Date] [Thread] [Top] [All Lists]