Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IIS 5 cookie encryption password

from [Serguey Forcade] Network Security [Permanent Link]
Subject: Re: IIS 5 cookie encryption password
Date: Tue, 3 Apr 2007 12:32:58 -0400 
Thanks, but I based my assumptions on an article from Microsoft
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c06_asp_session_id_and_session_security.mspx?mfr=true)

Even tho your statement makes sense. It's just that I haven't been
able to find more info about the relationship between the session ID
and the cookie.

On 4/3/07, Rogan Dawes <discard@dawes.za.net> wrote: 
Serguey Forcade wrote:
> Hi, I'd like to know if anyone knows of a paper that explains how to
> extract the encryption password IIS creates when it starts up, and
> uses to encrypt the session ID + random data in order to generate the
> cookie value the users receives.
>
> I'm interested in IIS 5.0.
>
> Thanks.
>

Take this with a pinch of salt, but I don't think that the session
identifier and the cookie value are directly related.

One reason for this statement is that if you abandon the session (using
ASP), and create a new one, the cookie value does not change. However,
the result of "Session.SessionID" DOES change.

I suspect that the cookie value is generated using a combination of some
static/sequential info, and some random data, and then associated with
the next available (i.e sequential integer) SessionID. When the session
is abandoned, the session object associated with that integer SessionID
is discarded. A subsequent request from the client containing the old
Session Cookie value will then automatically be associated with the next
available sequential integer SessionID.

Hope this helps.

Rogan

P.S. One consequence of this inability to change the cookie value
through abandoning the session is that ASP apps are AUTOMATICALLY
vulnerable to Session Fixation
<http://www.owasp.org/index.php/Session_Fixation>. An approach to
protecting ASP apps against session fixation is shown here
<http://www.owasp.org/index.php/Session_Fixation_Protection>


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IIS 5 cookie encryption password, Serguey Forcade
Next by Date:  [Full-disclosure] Microsoft .NET request filtering bypass vulnerability (BID 20753), Adrian Pastor
Previous by Thread:  IIS 5 cookie encryption password, Serguey Forcade
Next by Thread:  Re: IIS 5 cookie encryption password, Santiago Barahona
Indexes:  [Date] [Thread] [Top] [All Lists]