Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)

From: Kevin Fu (fubobat_private)
Date: Thu Aug 30 2001 - 13:24:02 PDT

  • Next message: Ben Ford: "Re: Web session tracking security prob. Vulnerable: IIS and ColdF usion (maybe others)"

    >if you (the original author) really want to beef this up, i suggest doing
    >a large scale statistical analysis of the session IDs and cookies,
    >illustrate some predictive properties (ie if its using gettimeofday(),
    >everyone's favorite seed for their PRNG), and put together some demos. you
    >may be on to something, as it really does rely on some implicit trust that
    >the session values are generated randomly.
    
    Something along these lines is already underway.  Volunteers can
    upload Netscape-style cookies on http://cookies.lcs.mit.edu/.  The
    cookies are then stored in an SQL database for pattern matching and
    reverse engineering.  Volunteers are welcome to help make the site
    work for cookies from other browsers such as MSIE and Konquerer.  We
    have plans for HTTPS and HTTP proxies so that volunteers can donate
    the tastier ephemeral RAM-only cookies too.
    
    At the USENIX security symposium, we explained how we broke many
    insecure authentication schemes including schemes used at WSJ.com,
    SprintPCS.com, FatBrain.com, highschoolalumni.com, and others.  Of the
    twenty-seven sites we investigated, we weakened the client
    authentication on two systems, gained unauthorized access on eight,
    and extracted the secret key used to mint authenticators from one.
    
    Anyhow, read the tech report and privacy policy on cookies.lcs.mit.edu
    if you're interested.
    
    --------
    Kevin E. Fu (fubobat_private)
    PGP key: https://snafu.fooworld.org/~fubob/pgp.html
    



    This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 13:47:01 PDT