Web applications attacks/Predictable sessions

From aldeid

Jump to navigation Jump to search

Description

Examples

WebGoat, hijack a session lesson will show you how to hijack a predictable session by brute-forcing it.
WebGoat, Spoof an authentication cookie is another example of a predictable session due to a weak encryption mechanism.
WebGoat, Session Fixation lesson will show how hackers can steal user's data by forcing them to connect on a *prepared* session.

Protection

Tools

Crowbar is a brute-forcer that enables to crack predictable sessions.
Burp Sequencer analyzes the distributions of session IDs to determine the randomness.
WebScarab has a tool, SessionID Analysis, that enables to determine the randomness of generated session IDs.

Comments

Talk:Web applications attacks/Predictable sessions

Retrieved from "https://www.aldeid.com/w/index.php?title=Web_applications_attacks/Predictable_sessions&oldid=35411"

Penetration-testing/Authentication-sessions-cookies/Session-theft

Share your opinion