OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kevin Spett (kspett_at_spidynamics.com)
Date: Fri Dec 06 2002 - 09:18:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:

    "LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit session ID
    (see later for how session ID is created)
    Session ID is created from a random seed number that is generated when the
    system starts up). The random seed is incremented every time a new session
    starts. Note that the "munge" doesn't increment in the same way that the
    Session ID does.
    Since the 8 char string after ASPSESSIONID is a "munge" of the process ID it
    will be (a) the same for all "In-process" applications (b) a different value
    is shared for all "Medium isolation (pooled)" applications and (c) unique
    for each Out-of-process application."

    From
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/
    aspwsm.asp:

    "The following steps are taken when generating ASP session cookies:
    * Session ID values are 32-bit long integers.
    * Each time the Web server is restarted, a random Session ID starting value
    is selected.
    * For each ASP session that is created, this Session ID value is
    incremented.
    * The 32-bit Session ID is mixed with random data and encrypted to generate
    a 16-character cookie string. Later, when a cookie is received, the Session
    ID can be restored from the 16-character cookie string (ASPSESSIONID).
    * The encryption key used is randomly selected each time the Web server is
    restarted."

    I don't know for sure, but I'm guessing that they're using CryptGenRandom
    for the PRNG, which uses mouse & keyboard events timing, system clock,
    system time, system counter, memory status, free disk clusters, etc. To my
    knowledge, it's sufficiently "random" to make them unpredictable in
    practical terms.

    Hope that helps.

    Kevin Spett
    SPI Labs
    http://www.spidynamics.com/

    ----- Original Message -----
    From: "Cade Cairns" <cairnscsecurityfocus.com>
    To: "Kevin Spett" <kspettspidynamics.com>
    Cc: <webappsecsecurityfocus.com>
    Sent: Friday, December 06, 2002 2:48 AM
    Subject: Re: IIS session cookies

    > I'm curious whether the ASPSESSIONID value generated is predictable and if
    > so, to what extent.
    >
    > Cade Cairns
    > Symantec Corporation
    >
    > On Thu, 5 Dec 2002, Kevin Spett wrote:
    >
    > > What do you mean by "IIS session cookies"? Do you mean the ASPSESSIONID
    > > feature? And what do you mean by formed? Are you talking about the PRNG
    > > behind it, or how a developer can use them?
    > >
    > >
    > > Kevin Spett
    > > SPI Labs
    > > http://www.spidynamics.com/
    > >
    > > ----- Original Message -----
    > > From: "Cade Cairns" <cairnscsecurityfocus.com>
    > > To: <webappsecsecurityfocus.com>
    > > Sent: Thursday, December 05, 2002 5:29 PM
    > > Subject: IIS session cookies
    > >
    > >
    > > > Hello webappsec,
    > > >
    > > > I'm looking for information on how IIS session cookies are formed
    (that
    > > > is, what data they consist of or how they are encoded, etc.) Is
    anyone
    > > > aware of any papers or resources on the subject?
    > > >
    > > > Thanks,
    > > >
    > > > Cade Cairns
    > > > Symantec Corporation
    > > >
    > > >
    > >
    >
    >