[Owasp-delhi] Session ID analysis

Piyush Maharishi piyush.maharishi at gmail.com
Wed Nov 3 06:47:38 EDT 2010


Hi Suresh,

You can also use "IBM Rational Token Analyzer" which come as a part of power
tool with IBM Rational Appscan. It also provides a good analysis. There are
few places where WebScarab and Burp-Sequencer have limitation like capturing
of token in case of a flow or multistage transactions. In that case this
tool work perfectly.

Regards
Piyush Maharishi

On Wed, Nov 3, 2010 at 3:00 PM, Gunwant Singh <gunwant.s at gmail.com> wrote:

> Suresh,
>
> Apparently WebScarab and Burp-Sequencer are undoubtedly unmatched tools,
> however these tools would only help you test the Entropy of the Session Ids
> i.e. how random they are against reverse-engineering.
>
> Another aspect of the Session ID analysis is to fuzz the Session-Header
> value i.e. supplying malicious values in the Session Header field. Fuzzing
> is a great option to catch any exceptions w.r.t SIDs. Popular free fuzzers
> include SPIKE Proxy, Peach Fuzzer Framework. There is a Fuzzer-UI available
> in WebScarab besides the Session-ID analysis tab.
>
> Hope that helps.
> -Gunwant
> On Wed, Nov 3, 2010 at 1:25 PM, Vaibhav Gupta <vaibhg at gmail.com> wrote:
>
>> Hi suresh
>>
>> One good tool for session ID analysis is Owasp - Webscarab.
>> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
>>
>> It can extract and plot session ID values over time in graphical format
>> and help inferring its randomness. You can even use Burp-Sequencer for
>> indepth analysis for the session IDs.
>> http://portswigger.net/burp/download.html
>>
>> Regards
>> Vaibhav Gupta
>>
>>
>>   On Tue, Nov 2, 2010 at 1:54 PM, suresh tiwary <
>> sureshtiwary at rediffmail.com> wrote:
>>
>>>  Dear All,
>>>
>>> May we know the tools(open source, freeware and commercial tools) and
>>> scripts available for Session ID analysis in web applications. Which
>>> commercial tool is best for Session ID analysis ?
>>>
>>> Many companies working in IT Security but do not perform Session ID
>>> analysis and so how do they conclude the risk analysis of Session ID during
>>> web application penetration testing & assessment ? Is the Session ID
>>> generated by .NET application/ framework safe enough. how about java web
>>> applications ?
>>>
>>> regards,
>>> suresh
>>>
>>> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/[email protected]?>
>>> _______________________________________________
>>> Owasp-delhi mailing list
>>> Owasp-delhi at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>>
>>>
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
>
> --
> Gunwant Singh
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101103/876baed5/attachment.html 


More information about the Owasp-delhi mailing list