[Owasp-delhi] Session ID analysis
gunwant.s at gmail.com
Wed Nov 3 05:30:05 EDT 2010
Apparently WebScarab and Burp-Sequencer are undoubtedly unmatched tools,
however these tools would only help you test the Entropy of the Session Ids
i.e. how random they are against reverse-engineering.
Another aspect of the Session ID analysis is to fuzz the Session-Header
value i.e. supplying malicious values in the Session Header field. Fuzzing
is a great option to catch any exceptions w.r.t SIDs. Popular free fuzzers
include SPIKE Proxy, Peach Fuzzer Framework. There is a Fuzzer-UI available
in WebScarab besides the Session-ID analysis tab.
Hope that helps.
On Wed, Nov 3, 2010 at 1:25 PM, Vaibhav Gupta <vaibhg at gmail.com> wrote:
> Hi suresh
> One good tool for session ID analysis is Owasp - Webscarab.
> It can extract and plot session ID values over time in graphical format and
> help inferring its randomness. You can even use Burp-Sequencer for indepth
> analysis for the session IDs.
> Vaibhav Gupta
> On Tue, Nov 2, 2010 at 1:54 PM, suresh tiwary <
> sureshtiwary at rediffmail.com> wrote:
>> Dear All,
>> May we know the tools(open source, freeware and commercial tools) and
>> scripts available for Session ID analysis in web applications. Which
>> commercial tool is best for Session ID analysis ?
>> Many companies working in IT Security but do not perform Session ID
>> analysis and so how do they conclude the risk analysis of Session ID during
>> web application penetration testing & assessment ? Is the Session ID
>> generated by .NET application/ framework safe enough. how about java web
>> applications ?
>> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signaturelin[email protected]?>
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-delhi