Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Kevin Fu (fubob@MIT.EDU)
Date: 08/30/01 

Message-Id: <200108302024.QAA18576@ultrasparc.mit.edu>
To: Jose Nazario <jose@biocserver.BIOC.cwru.edu>
Subject: Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)
Date: Thu, 30 Aug 2001 16:24:02 -0400
From: Kevin Fu <fubob@MIT.EDU>

>if you (the original author) really want to beef this up, i suggest doing
>a large scale statistical analysis of the session IDs and cookies,
>illustrate some predictive properties (ie if its using gettimeofday(),
>everyone's favorite seed for their PRNG), and put together some demos. you
>may be on to something, as it really does rely on some implicit trust that
>the session values are generated randomly.

Something along these lines is already underway. Volunteers can
upload Netscape-style cookies on http://cookies.lcs.mit.edu/. The
cookies are then stored in an SQL database for pattern matching and
reverse engineering. Volunteers are welcome to help make the site
work for cookies from other browsers such as MSIE and Konquerer. We
have plans for HTTPS and HTTP proxies so that volunteers can donate
the tastier ephemeral RAM-only cookies too.

At the USENIX security symposium, we explained how we broke many
insecure authentication schemes including schemes used at WSJ.com,
SprintPCS.com, FatBrain.com, highschoolalumni.com, and others. Of the
twenty-seven sites we investigated, we weakened the client
authentication on two systems, gained unauthorized access on eight,
and extracted the secret key used to mint authenticators from one.

Anyhow, read the tech report and privacy policy on cookies.lcs.mit.edu
if you're interested.

--------
Kevin E. Fu (fubob@mit.edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html

Relevant Pages

  • Re: Fwd: [PHP] Re: a question on session ID and security
    ... I think the difference is that you send one key (a session identifier) ... secondary hash key stored in cookies. ... hash key" to the client when it doesn't need it? ... Use the authentication key to identify the users data, then get the "secondary hash key" from that data. ...
    (php.general)
  • RE: Reconnect to a session and authenticate.
    ... I solved this problem by adding the cookies and doing a server transfer. ... certain session connection or forms authentication connection in your code ... However, for session state, it is always doneby ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Framework bug with Auth and Session state?
    ... forms authentication ticket into the cookie as described in Microsoft's book ... > mean that I assume that if the user is Authenticated that the the session ... (I mean I know why it is two different cookies, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: authentication cookie vs session cookie
    ... | What are the differences between authentication and session cookies? ... Why do we need 2 different types of cookies? ... Is the session ... | keep both in sync (i.e. make authentication cookie expires at the same ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Hiding variables passed via URL
    ... well you can view cookies as well. ... What else constitutes a 'session variable' apart from POST or GET data ... But then you don't understand that session variables aren't POST or GET ... You could coordinate PHP with Javascript. ...
    (comp.lang.php)