Re: SessionId Prediction - Classic ASP - Tool?

From: Stefano Di Paola <stefano.dipaola@xxxxxxxx>
Date: Sat, 23 Feb 2008 12:52:09 +0100

Hi Jay,

Il giorno ven, 22/02/2008 alle 11.36 -0500, Jay ha scritto:

How is it known that 706616434 equates to ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?

have a look at http://www.cgisecurity.com/lib/SessionIDs.pdf
"..
IIS ASP SessionID
Session ID values are 32-bit long integers.
Each time the Web server is restarted, a random session ID starting
value is selected.
For each new ASP session that is created, the session ID value is
incremented.
The 32-bit session ID is mixed with random data and encrypted to
generate a 16character cookie string. Later, when a cookie is received,
the session ID is decrypted from the 16-character cookie string.
The encryption key is randomly selected each time the Web server is
restarted.
.."

Cheers,
Stefano
--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

References:
- SessionId Prediction - Classic ASP - Tool?
  - From: Jay

Prev by Date: Re: Split Kismet log file
Next by Date: Re: Split Kismet log file
Previous by thread: SessionId Prediction - Classic ASP - Tool?
Next by thread: Re: SessionId Prediction - Classic ASP - Tool?
Index(es):
- Date
- Thread

Relevant Pages

Re: using .aspx page to output image problem
... It also seems to me that you are using a session simply to communicate ... public class MapPointImage ... > and displays direction information and map images. ... > The map works fine on a single web server setup. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Need help with scope (I think)
... I'll assume that you do know what a Session variable is used for in a Web session. ... The server side of the application is started again sort of speaking and everything are in there initial state each time on the round trip between the client and the Web server. ... The only way you can keep state with data that is kept in a variable that you want to hold on to that data is to use Session variables. ...
(microsoft.public.dotnet.languages.vb)
Re: Need help with scope (I think)
... A Web session between the client and the Web server is a stateless ... server from the client and the connection is broken. ...
(microsoft.public.dotnet.languages.vb)
Re: Security problem/issue ASP.Net
... > The Web Server is set to: ... > What else can I do to avoid this session mix? ... >>> page myprofile, the first user sees his profile (the ...
(microsoft.public.dotnet.framework.aspnet)
Re: Example of web application done right?
... I would really not recommend perl for this ... We used perl, and regretted it for the web interface. ... Session ID was a string that contained info about which machine it was on. ... Our web server load balancing was done by DNS, and, thankfully most browsers ...
(comp.lang.perl.misc)