[TOOL] Stompy the WWW Session Stomper

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Stompy the WWW Session Stomper
------------------------------------------------------------------------


SUMMARY



DETAILS

Stompy is a free tool to perform a fairly detailed black-box assessment of
WWW session identifier generation algorithms. Session IDs are commonly
used to track authenticated users, and as such, whenever they're
predictable or simply vulnerable to brute-force attacks, we do have a
problem.

Some session ID cookie generation mechanisms are well-studied and
well-documented, and believed to be cryptographically secure (example:
Apache Tomcat, PHP, ASP.NET builtins). This is not necessarily so for
certain less researched enterprise web platforms - and almost never so for
custom solutions that are frequently implemented inside the web
application itself.

Yet, while there are several nice GUI-based tools designed to analyze HTTP
cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher,
Foundstone CookieDigger, etc), they all seem to rely on very trivial, if
any, tests when it comes to unpredictability ("alphabet distribution" or
"average bits changed" are top shelf); this functionality is often not
better than a quick pen-and-paper analysis, and can't be routinely used to
tell a highly vulnerable linear congruent PRNG (rand()) from a
well-implemented MD5 hash system (/dev/urandom).

Today's super-bored pen-testers can at best collect data by hand,
determine its encoding, write conversion scripts, and then feed it to NIST
Statistical Test Suite or alike - but few will.

In order to have a fully automated, hands-off tool to reliably detect
anomalies that are not readily apparent at a first glance a tool:

- Automatically finds session IDs encoded as URLs, cookies, and in form
inputs, then collects a statistically significant sample of data,

- Determines alphabet structure to transparently handle base64,
uuencode, base32, hex, and any other sane encoding scheme without user
intervention.

- Translates the data to isolated time-domain bitstreams to examine how
SID bits at each position change in time.

- Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample.

- Runs an array of n-dimensional phase space tests to find deterministic
correlations, PRNG hyperplanes, etc, etc.

Of course, the tool cannot prove the correctness of an implementation, and
it is possible to devise predictable, cryptographically unsafe PRNGs that
would pass these tests; still, the tool can find plenty of problems and
oddities.

Well, that's it. For more, see the included README file. The application,
in a fairly decent shape (not a wobbly PoC) and tested under Linux,
FreeBSD, and CYGWIN, can be downloaded here:
<http://lcamtuf.coredump.cx/stompy.tgz>
http://lcamtuf.coredump.cx/stompy.tgz


ADDITIONAL INFORMATION

The information has been provided by <mailto:lcamtuf@xxxxxxxxxxxx> Michal
Zalewski.
To keep updated with the tool visit the project's homepage at:
<http://lcamtuf.coredump.cx/stompy.tgz>
http://lcamtuf.coredump.cx/stompy.tgz



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] Wordpress Cookie Integrity Protection Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Wordpress Cookie Integrity Protection Vulnerability ... USERNAME: The username for the authenticated user ...
    (Securiteam)
  • [NT] Citrix NetScaler Web Management Cookie Weakness
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix NetScaler Web Management Cookie Weakness ... the attacker might be able to impersonate the user for the duration ... plaintext information stored by it by using a chosen plaintext attack. ...
    (Securiteam)
  • [NEWS] Multiple Vendor HTTP User Agent Cookie Path Traversal Issue
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The cookie specifications detail a path argument that can be used to ... and standard encoding techniques the path restriction functionality can be ...
    (Securiteam)
  • [NEWS] HP SIM 5.0 Session Fixation Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a session fixation vulnerability in HP Systems Insight Manager ... cookie for maintaining a session with administrator's browser. ... Once the administrator is logged in, ...
    (Securiteam)
  • Re: [Full-disclosure] stompy the session stomper - tool availability
    ... generation algorithms. ... Session IDs are commonly used to track ... cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher, ... Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample, ...
    (Full-Disclosure)