8

To elaborate on this, I'm looking at this from the perspective of a hacker/penetration tester. Many times I have seen web applications that I know have weak cookies. I can tell this because I can issue hundreds/thousands of login requests and the session cookies that the server responds with will have noticeable patterns in them. For example, some session cookies will have repeated characters present in all session cookies(e.g., the first 6 characters of a 13 character session cookie are all the same). Others are generated based on time, so if I issue a bunch of login requests all at the same time, the server will respond with the same session cookie (Assuming the server generates the cookie based on the second/minute).

While these types of patterns are easily noticeable, I know that some patterns aren't so easy for us humans to see.

So my two questions:

1) What methods and tools are out there to determine the strength of a cookie?

2) Once a weak session cookie has been identified, how would one go about analyzing and reverse engineering the session cookie generation algorithm? (Keeping in mind that the end goal here is to eventually be able to predict session cookies)

tifkin
  • 241
  • 1
  • 6

1 Answers1

4

Burp has a session id analysis tool, but I'll be honest its output doesn't make any sense and as a penetration tester, this feature has never led to a finding...

If I audit a session handler I will look at its source code and judge it by the entropy source that it is using.

In a blabkbox assessment if the session id doesn't change when you authenticate multiple times then the application might be using the password hash as the session id. The developer who wrote this garbage should be fired, there is no excuse for this degree of incompetence. (Wordpress, I'm looking at you)

rook
  • 46,916
  • 10
  • 92
  • 181
  • I'm with you on Burp. I the only reason I use Burp Sequencer is to capture session keys and then I analyze them manually. I would look at the source code as well if I could, but I'm wanting to go about this more from a black box perspective. – tifkin Oct 27 '12 at 03:21
  • 1
    @tifkin yeah performing a blackbox analysis of this sounds like a waste. – rook Oct 27 '12 at 04:14
  • In real world pen tests I would definitely say so as well. I just want to know how to fulfill my own curiosity :) I guess since this is more crytographic analysis, I probably should have posted this under the Cryptography site. Oh well! – tifkin Oct 27 '12 at 06:06