[Owasp-delhi] Session ID analysis
piyush.maharishi at gmail.com
Wed Nov 3 06:47:38 EDT 2010
You can also use "IBM Rational Token Analyzer" which come as a part of power
tool with IBM Rational Appscan. It also provides a good analysis. There are
few places where WebScarab and Burp-Sequencer have limitation like capturing
of token in case of a flow or multistage transactions. In that case this
tool work perfectly.
On Wed, Nov 3, 2010 at 3:00 PM, Gunwant Singh <gunwant.s at gmail.com> wrote:
> Apparently WebScarab and Burp-Sequencer are undoubtedly unmatched tools,
> however these tools would only help you test the Entropy of the Session Ids
> i.e. how random they are against reverse-engineering.
> Another aspect of the Session ID analysis is to fuzz the Session-Header
> value i.e. supplying malicious values in the Session Header field. Fuzzing
> is a great option to catch any exceptions w.r.t SIDs. Popular free fuzzers
> include SPIKE Proxy, Peach Fuzzer Framework. There is a Fuzzer-UI available
> in WebScarab besides the Session-ID analysis tab.
> Hope that helps.
> On Wed, Nov 3, 2010 at 1:25 PM, Vaibhav Gupta <vaibhg at gmail.com> wrote:
>> Hi suresh
>> One good tool for session ID analysis is Owasp - Webscarab.
>> It can extract and plot session ID values over time in graphical format
>> and help inferring its randomness. You can even use Burp-Sequencer for
>> indepth analysis for the session IDs.
>> Vaibhav Gupta
>> On Tue, Nov 2, 2010 at 1:54 PM, suresh tiwary <
>> sureshtiwary at rediffmail.com> wrote:
>>> Dear All,
>>> May we know the tools(open source, freeware and commercial tools) and
>>> scripts available for Session ID analysis in web applications. Which
>>> commercial tool is best for Session ID analysis ?
>>> Many companies working in IT Security but do not perform Session ID
>>> analysis and so how do they conclude the risk analysis of Session ID during
>>> web application penetration testing & assessment ? Is the Session ID
>>> generated by .NET application/ framework safe enough. how about java web
>>> applications ?
>>> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/[email protected]?>
>>> Owasp-delhi mailing list
>>> Owasp-delhi at lists.owasp.org
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
> Gunwant Singh
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-delhi