VBScript and the Randomize function
From: Matt Watchinski (matt@farm9.com)Date: 08/17/01
- Previous message: David Wheeler: "Re: PHP"
- Next in thread: Thomas Jespersen: "Re: VBScript and the Randomize function"
- Reply: Thomas Jespersen: "Re: VBScript and the Randomize function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B7C565F.C268F83B@farm9.com> Date: Thu, 16 Aug 2001 18:25:19 -0500 From: Matt Watchinski <matt@farm9.com> To: secprog@securityfocus.com Subject: VBScript and the Randomize function
During a OS level penetration test I came across an application that
used a function similar to the following to generation session keys for
tracking Web users. This function generated a 11 digit string "unique"
key that tracked the session. My question is; is this function really
random or will it repeat in a predictable sequence? I haven't been able
to find very good documentation how the VBScript Randomize function
seeds itself (other than system timer, whatever that is referencing is
unknown to me) so i was hoping some could help/point me in the right
direction.
Here is the function.
<%
Function RandomFoo(length)
Dim i
RandomFoo = ""
Randomize
For i = 0 to length
RandomFoo = RandomFoo & Chr(Int(26 * Rnd + 65))
Next
End Function
RandomFoo(10)
%>
One quick note if (system timer) the seed for Randomize with no
arguments is reverseable from system time IE the number of seconds from
epoch, does it change the predictability of the function.
if this isn't the correct list for such a question please point me in
the right direction. I thought it would have some bearing here though,
as i've seen very similar things in lots of we application.
thanks
-matt
- Previous message: David Wheeler: "Re: PHP"
- Next in thread: Thomas Jespersen: "Re: VBScript and the Randomize function"
- Reply: Thomas Jespersen: "Re: VBScript and the Randomize function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
