I've been doing a web application audit for a customer and did some analysis of ColdFusion session cookies. While not completely predictable from the first glance there seem to be some interesting quite non-random patterns there. Unfortunately I don't have time to finish this, so perhaps someone can use my results to continue this research. The goal would be to determine how much randomness there is in ColdFusion session ids and if possible try to predict them. ColdFusion uses two cookies to track sessions. One is called CFID and the other is called CFTOKEN. CFID seems to be incremented with each subsequent request, so it is predictable. CFTOKEN is 8 or less digit decimal number that seems random from the first glance. I have gathered about 50000 values of CFTOKEN durng a timespan of about 10 hours. The result was a text file with the timestamp and the value of the cookie on each line. Then I plotted it using gnuplot. Y axis is the value of the cookie, x axis is the timestamp. Here is the image: http://www.scanit.be/cf/image1.gif If we look closer at it here is what we see: http://www.scanit.be/cf/image2.gif Apparently the values are distributed along the lines which can be described by an equation: y = kx + bn, (1) where x and y are the coordinates, k and b are constants and n is integer. The number of stripes is 238 - quite a strange number. There are quite wide stripes where there are no values at all. The stripes are about 200000 wide with 200000 empty space in between them. This decreases the nuber of possible cookie values by the factor of 2. I assume that the actual cookie value is composed of two independent random values that are concatenated. First random value determines the stripe and the second random value determines the deviation from the line defined by the equation above. I calculated the values for k and b, so the equation looks like this: y = tan(deg2rad(180-6.1806))/1000 * x + 442500*n + 138000 (2) Here is the distribution of the cookie values along those lines: http://www.scanit.be/cf/image3.gif Next I tried to analyse the deviation of the actual cookie values from equation (2). Here is a perl script I used to calculate deviations: ------------------------------------------------------------------------ #!/usr/local/bin/perl use strict; use Math::Trig; use POSIX; my ($input) = @ARGV; if(!$input) {die "usage: diff input-file\n"}; open(DOTS, "<$input") || die "cannot open $input file for reading: $!"; my @dots = <DOTS>; my $k = tan(deg2rad(180-6.1806))/1000; my $b = 442500; my $d = 138000; for(my $i=0; $i < scalar(@dots); $i++) { chomp($dots[$i]); my($x, $y) = split(/ /, $dots[$i]); my $bn = ($y - $k * $x); my $n = sprintf("%.0f", (($bn - $d) / $b)); my $diff = $n * $b + $d - $bn; print "$i $diff\n"; } ------------------------------------------------------------------------- Resulting data was again plotted using gnuplot: http://www.scanit.be/cf/image4.gif You can see the diagonal pattern again. Next I estimated the angle of those lines and rotated the values by this angle, so that the lines become horizontal instead of diagonal. Then I accidently used a different scale on x axis and here is what I got: http://www.scanit.be/cf/image5.gif You can see the wavy pattern. This is someting I cannot think of an explanation for. The data was gathered during about 10 hours, so there might be a 12 of 24 hours cycle in the values, but it still looks quite strange. I stopped my analysis at that. If someone is interested in this stuff, I can send my data and the scripts I used for the analysis. It would be interesting to see if other installations of ColdFusion have the same patterns. Alla.
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 08:31:47 PST
