Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Chris Scott (chrishostorlando.com)
Date: Wed Feb 06 2002 - 10:13:21 CST
Interesting. I've seen the same behavior when generating GUIDs from ASP but
from SQL 7.0 I get:
Using the following SQL:
SET NOCOUNT ON
DECLARE COUNTER NUMERIC
SELECT COUNTER = 1
WHILE (COUNTER < 5)
SELECT COUNTER = COUNTER +1
> -----Original Message-----
> From: Neil [mailto:webapp1geekshanty.com]
> Sent: Wednesday, February 06, 2002 10:04 AM
> To: Innes Fisher
> Cc: webappsecsecurityfocus.com
> Subject: Re: SQL GUID as a session authentication token
> GUID's created using NEWID() are *not* a secure identifier. They are
> unique, but extremely predictable and should not be used as an
> authentication method.
> SELECT NEWID() (done 5 times)
> As you can see, most of the GUID is the same each time. From what I
> remember, the GUID is based in part on your MAC address and then an
> ever increasing number. This is even worse because the value isn't
> seeded based on time! To get the last connection you simply modify
> the GUID counter part down a number or 2 and you now have a valid
> In short, GUID's are about as predictable as they come and should not
> be used as an identifier for a security token.
> Hope this helps,
> On 02-06 (08:14), Innes Fisher wrote:
> > I'm reviewing the security design on a web app which
> > uses a GUID generated by a backend MS SQL
> > database as the session token for the authenticated
> > user.
> > While using GUIDs will theoretically guarantee
> > uniqueness of the tokens, I have serious reservations
> > about it being used in this way. If GUIDs can be
> > predicted in advance it would be possible to appear to
> > be an authenticated user.
> > How predictable are GUIDs and has anyone seen
> > them used in this way before?
> > Is this as crazy as I think?
> > Thanks,
> > Innes