RE: Proof of Concept Tool on Web Application Security

From: Einecker, Leah (Leah_Einecker@Intuit.com)
Date: 04/10/03

  • Next message: shawnmer: "Re: http fingerprinting" 
    From: "Einecker, Leah" <Leah_Einecker@Intuit.com>
To: "'Indian Tiger'" <indiantiger@mailandnews.com>, "pen test" <Pen-test@securityfocus.com>
Date: Thu, 10 Apr 2003 14:56:43 -0700

    David Endler and Michael Sutton did a presentation on bruteforcing session
    IDs at DEFCON last year. Links to the presentation, the "iDefense Session
    Auditor tool", and a video of the talk are all available at:
    http://www.defcon.org/html/links/defcon-media-archives.html

    Cheers,
    -L

    >-----Original Message-----
    >From: Indian Tiger [mailto:indiantiger@mailandnews.com]
    >Sent: Tuesday, April 15, 2003 11:06 AM
    >To: pen test
    >Subject: Proof of Concept Tool on Web Application Security
    >
    >
    >Hi all,
    >
    >I have tried a lot to find any Proof of Concept Tool on Web Application
    >Security but still I am not able to find a single one. Let me give some
    >specific details.
    >
    >Session ID
    >Generally session ID is big enough and act as authentication
    >token. Most of
    >the time it only changes last few digits, lets say only three
    >digits from
    >the end. Even its doing this only its very tuff to guess these
    >last three
    >digits. I have made a testing site and tried but was not able
    >to do that. I
    >knew session ID is not the only authentication parameter. It
    >can contain
    >cookie, session tokens etc as well. I have tried Achilles, Web
    >Sleuth, Web
    >Inspect, Spike Proxy etc. I think at least they don't do such
    >brute force.
    >Is there any tool which does brute force on this and give session ID.
    >
    >Cookie Manipulation
    >Several Articles talk about Cookie Manipulation. How to get cookies of
    >others even in a LAN seems very tuff or not possible as per my
    >study on Web.
    >If a Attacker is able to redirect other person's traffic to
    >any Proxy like
    >Achilles, Web Sleuth than he can perform attacks. Now nobody
    >is allowing to
    >change his proxy setting and sending his output through
    >Attacker (Proxy).
    >Is there any tool which can give access/manipulate the cookie remotely?
    >
    >This manipulation can also be achieved if an Attacker can put
    >his Proxy (Web
    >Sleuth) on intermediate Router/Proxy. One Example is I am
    >accessing Hotmail
    >and on my ISP Router/Proxy, An attacker installs tool like Web
    >Sleuth. But
    >again question comes Router works on OSI layer 3 so attacker
    >can't put tool
    >like Web Sleuth. If intermediate hop is Proxy which is on
    >Application level,
    >there should be some tool which can be placed here.
    >
    >XSS
    >Cross Site Scripting has to use Client site scripting only.
    >What could be
    >the maximum impact of this? Can Attacker format a machine or
    >steal data by
    >this? If yes how?
    >
    >Please also tell any other Proof of Concept Tool on Web Application
    >Security. I read OWASP guides, WebGoat and some more to
    >understand three
    >things deeply and develop Proof of Concept Tool but no successes accept
    >Hidden field manipulation. Please recommend some good guides on this.
    >
    >Any help on this would be highly appreciated.
    >
    >Thanking You.
    >Sincerely,
    >
    >Indian Tiger, CISSP
    >
    >
    >--------------------------------------------------------------
    >Costs are climbing and complaints are rising
    >as SPAM overloads your e-mail servers and Inboxes
    >SurfControl E-mail Filter puts the brakes on spam & viruses
    >and gives you the reports to prove it.
    >http://www.securityfocus.com/SurfControl-pen-test2
    >Download a free trial and see just
    >what's going in and out of your organization.
    >--------------------------------------------------------------
    >
    >

    --------------------------------------------------------------
    Costs are climbing and complaints are rising
    as SPAM overloads your e-mail servers and Inboxes
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it.
    http://www.securityfocus.com/SurfControl-pen-test2
    Download a free trial and see just
    what's going in and out of your organization.
    --------------------------------------------------------------

  • Next message: shawnmer: "Re: http fingerprinting"

    Relevant Pages

    • RE: Proof of Concept Tool on Web Application Security
      ... As far as brute forcing session ids goes, you could have a look at a post ... easy to identify what the possibilities are for the next cookie, ... dsniff suite to redirect traffic on your local segment from the proxy to ... Generally session ID is big enough and act as authentication token. ...
      (Pen-Test)
    • Re: RDP using RPC over HTTP
      ... If I am correct RPC over HTTP can use any port, ... The RPC proxy will route the data to the internal network ... The idea is to use the TSWeb on the server side and ActiveX RDP on the ... start an session of RD from there, kind of RD inside RD as you suggested? ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: just an idea for packet protocol using ECB
      ... >> packets may be lost. ... the system would never shutdown if attackers kept ... The damage an attacker ... So each file transmission gets a session number. ...
      (sci.crypt)
    • CommuniGatePro 4.0.6 [EXPLOIT]
      ... Session ID used in CGP WebMail to track sessions is ... Attacker can send HTML message with img src ... hijack current user session - read mailbox, ...
      (Bugtraq)
    • Re: An application gateway firewall based on Linux - ITShield firewall
      ... "Proxy" in application gateway firewall is different from proxy in HTTP ... proxy server or FTP proxy server. ... the session (I mean "session", ...
      (comp.security.firewalls)