[Owasp-delhi] Session ID analysis

Gunwant Singh gunwant.s at gmail.com
Wed Nov 3 05:30:05 EDT 2010


Suresh,

Apparently WebScarab and Burp-Sequencer are undoubtedly unmatched tools,
however these tools would only help you test the Entropy of the Session Ids
i.e. how random they are against reverse-engineering.

Another aspect of the Session ID analysis is to fuzz the Session-Header
value i.e. supplying malicious values in the Session Header field. Fuzzing
is a great option to catch any exceptions w.r.t SIDs. Popular free fuzzers
include SPIKE Proxy, Peach Fuzzer Framework. There is a Fuzzer-UI available
in WebScarab besides the Session-ID analysis tab.

Hope that helps.
-Gunwant
On Wed, Nov 3, 2010 at 1:25 PM, Vaibhav Gupta <vaibhg at gmail.com> wrote:

> Hi suresh
>
> One good tool for session ID analysis is Owasp - Webscarab.
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
>
> It can extract and plot session ID values over time in graphical format and
> help inferring its randomness. You can even use Burp-Sequencer for indepth
> analysis for the session IDs.
> http://portswigger.net/burp/download.html
>
> Regards
> Vaibhav Gupta
>
>
>   On Tue, Nov 2, 2010 at 1:54 PM, suresh tiwary <
> sureshtiwary at rediffmail.com> wrote:
>
>>  Dear All,
>>
>> May we know the tools(open source, freeware and commercial tools) and
>> scripts available for Session ID analysis in web applications. Which
>> commercial tool is best for Session ID analysis ?
>>
>> Many companies working in IT Security but do not perform Session ID
>> analysis and so how do they conclude the risk analysis of Session ID during
>> web application penetration testing & assessment ? Is the Session ID
>> generated by .NET application/ framework safe enough. how about java web
>> applications ?
>>
>> regards,
>> suresh
>>
>> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signaturelin[email protected]?>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101103/e6b839e0/attachment-0001.html 


More information about the Owasp-delhi mailing list