From: Curphey, Mark (mark.curphey@foundstone.com)
Date: Fri May 13 2005 - 13:57:49 EDT
We are pleased to release another free tool for your pleasure....
For the Impatient
Download Binaries -
http://www.foundstone.com/resources/termsofuse.htm?file=cookiedigger.zip
Download User Guide -
http://www.foundstone.com/resources/downloads/Foundstone_CookieDigger_Wh
itepaper.pdf
For the Less Impatient
CookieDigger, designed by Foundstone, is a free tool to help identify
weak cookie generation and usage by web applications. The tool works by
collecting and analyzing cookies issued by a web application for
multiple users.
The tools functionality can be divided into 3 broad categories.
1. Cookie Collection
2. Cookie Analyses
3. Results
Average Length of the Cookie: If the average cookie length of the cookie
that is used as an authenticator is small then it would take fewer brute
force attempts to hijack another users session. On a popular site we
can assume many users to be logged in at the same time, therefore the
chances of a successful brute force attempt is high.
Character Set of the Cookie: The character set employed in the
generation of cookie value plays an important role in the determining
the strength of the authenticator. For any given cookie length, a large
character set increases the strength of the authenticator exponentially.
If the attacker can determine the character set employed by the
application, the brute force attempts can be crafted more efficiently.
The combination of the length of the cookie and the character set used
determines the strength of the authenticator.
Critical Information: The tool checks the cookie values set by the
application to see if any of the cookies contains the usernames or
password values in it. The check is performed on both the plain text
value of the cookie and on the base64 decoded value of the cookie. Other
common useful information passed in the cookie values are account
numbers, names, privilege levels, etc.
Entropy of the Cookies: The tool compares the different values of the
cookie values to check how many characters are changing for every
subsequent login. If the cookie value remains the same on subsequent
logins, it shows that the algorithm used for generating the cookies is
vulnerable to chosen plain text attacks. Furthermore, if the cookie
values remain the same on subsequent logins it gives the attacker longer
periods of time to perform the brute forces attempts.
More and lots of screen shots in the whitepaper
Mark Curphey
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:20 EDT