Brute-Forcing Web Application Session IDs

From: dendlerat_private
Date: Tue Nov 13 2001 - 06:52:53 PST

Next message: Jan Wagner: "Cobalt RAQ3i attack aggainst telnetd possible ?"

Previous message: Jose Nazario: "Re: Forwarding sniffed packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

iDEFENSE Labs has released a paper entitled "Brute-Force
Exploitation of Web Application Session IDs." It covers the basics
of brute-forcing web applications through guessing or reverse
engineering state session IDs which are often used for
authentication purposes. Several examples are shown using some
familiar web sites and applications on how stealing or mimicking a
legitimate user's credentials is possible. All relevant vendors and
site administrators were informed responsibly before publication.

The paper is available at http://www.idefense.com/sessionids.html

David Endler
Director, iDEFENSE Labs
dendlerat_private
www.idefense.com

Next message: Jan Wagner: "Cobalt RAQ3i attack aggainst telnetd possible ?"
Previous message: Jose Nazario: "Re: Forwarding sniffed packets"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 08:51:07 PST