Comments on: Webscarab Tutorial Part 2 (sessiond ID analysis) http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/ Fri, 03 Sep 2010 01:46:39 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Arvind http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-840 Arvind Thu, 03 Jun 2010 06:41:20 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-840 Thanks for this tutorial. The problem in this case is that a session ID is generated on the login page itself and used inside the application as well. So I want to test the strength of this generated session ID. Now Webscarab captures and analyzes etc no problem , except that the session ID always remains the same for all the requests generated. Testing manually and refreshing the page clearly shows that the session ID DOES indeed change for every request, so why does Webscarab "fetch" with the session ID all the time? There's no LOGOUT here, so I closed the browser itself - but that didn't help as expected. Any ideas? Thanks for this tutorial. The problem in this case is that a session ID is generated on the login page itself and used inside the application as well. So I want to test the strength of this generated session ID. Now Webscarab captures and analyzes etc no problem , except that the session ID always remains the same for all the requests generated. Testing manually and refreshing the page clearly shows that the session ID DOES indeed change for every request, so why does Webscarab “fetch” with the session ID all the time? There’s no LOGOUT here, so I closed the browser itself – but that didn’t help as expected. Any ideas?

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-660 travis Mon, 03 Aug 2009 09:38:40 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-660 zach, glad the article helped, i write these articles as a reference for myself and the students i teach but i'm always glad to see they help others. zach,

glad the article helped, i write these articles as a reference for myself and the students i teach but i’m always glad to see they help others.

]]> By: Zach http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-659 Zach Mon, 27 Jul 2009 09:01:01 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-659 Great article! I was having problems with my web application not generating a new ID every time I connected. What I did is take the cookies (in my case CFID and CFTOKEN) that store session state. Go (in webscarab) Tools --> Shared Cookies and I set the values of both to nothing. Then I went: Proxy --> Miscellaneous and checked the 'Inject known cookies into requests'. This got the server to create a new session every time I connect. Great article! I was having problems with my web application not generating a new ID every time I connected. What I did is take the cookies (in my case CFID and CFTOKEN) that store session state. Go (in webscarab) Tools –> Shared Cookies and I set the values of both to nothing. Then I went: Proxy –> Miscellaneous and checked the ‘Inject known cookies into requests’. This got the server to create a new session every time I connect.

]]> By: Harjeet http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-656 Harjeet Tue, 16 Jun 2009 06:08:16 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-656 Hi Travis My 1st Prob is: I had deployed a Web Goat in to my local machine. http://localalhost/WebGoat/attack. I am able to Access it. But when i am accessing the same WebGoat Application in different system which is same domain as (http://160.110.233.88/WebGoat/attack) i am not able to access the WebGoat Application.160.110.233.88 is IP of my local system. How can i access Webgoat in different machine? My 2nd problem is: When i am running WebGoat in my local system I set proxy as Localhost & port is 80 it runs fine. Now when i run Webscarab it runs on 8008 port. how can i run both Webgoat as well as Webscarab simaltaneosuly as Webgot runs on port 80 & WebScarab runs on port8008. Help me to solve my problem. Thanks Harjeet Hi Travis

My 1st Prob is:

I had deployed a Web Goat in to my local machine.
http://localalhost/WebGoat/attack. I am able to Access it. But when i am accessing the same WebGoat Application in different system which is same domain as (http://160.110.233.88/WebGoat/attack) i am not able to access the WebGoat Application.160.110.233.88 is IP of my local system. How can i access Webgoat in different machine?

My 2nd problem is:

When i am running WebGoat in my local system I set proxy as Localhost & port is 80 it runs fine. Now when i run Webscarab it runs on 8008 port. how can i run both Webgoat as well as Webscarab simaltaneosuly as Webgot runs on port 80 & WebScarab runs on port8008.

Help me to solve my problem.

Thanks
Harjeet

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-652 travis Mon, 01 Jun 2009 17:35:55 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-652 harjeet, without the source code checking for SQLi and XSS will be the same no matter what language you're working in (asp, jsp, php). if you have the source code then things are different. abysssec.com has a great article on checking for typical vulnerabilities within php, go check it out. http://www.abysssec.com/blog/2009/03/php_fuzz_audit/ harjeet,

without the source code checking for SQLi and XSS will be the same no matter what language you’re working in (asp, jsp, php). if you have the source code then things are different. abysssec.com has a great article on checking for typical vulnerabilities within php, go check it out.

http://www.abysssec.com/blog/2009/03/php_fuzz_audit/

]]> By: Harjeet http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-651 Harjeet Mon, 01 Jun 2009 07:03:17 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-651 Hi Travis, How to check the SQLi & XSS in php applications using Webscarab or Do you have any other tools to test php applications. Thanks Harjeet Hi Travis,

How to check the SQLi & XSS in php applications using Webscarab or Do you have any other tools to test php applications.

Thanks

Harjeet

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-628 travis Tue, 28 Apr 2009 21:08:36 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-628 alan, you're correct i didn't really explain myself well. i haven't played with that hacme casino app in a while but from what i remember if you don't log out you keep making a request for the same cookie over and over so the cookie never changes. basically webscarab keeps making requests with the cookie tied to your login. once you log out and then do the session analysis on the login / logout process webscarab will grab a "unique" cookie each time it makes the request. the main thing you want to do is under the "SessionID Analysis" within Webscarab keep hitting the "Test" button to make sure the cookie changes. depending on the application some cookies will never change because they are sorta place holders if you will. the key is to find the cookie that is responsible for maintaining state. hope this helps? if not let me know and i can email you directly. also thanks for the positive comment. alan,

you’re correct i didn’t really explain myself well. i haven’t played with that hacme casino app in a while but from what i remember if you don’t log out you keep making a request for the same cookie over and over so the cookie never changes. basically webscarab keeps making requests with the cookie tied to your login. once you log out and then do the session analysis on the login / logout process webscarab will grab a “unique” cookie each time it makes the request. the main thing you want to do is under the “SessionID Analysis” within Webscarab keep hitting the “Test” button to make sure the cookie changes.

depending on the application some cookies will never change because they are sorta place holders if you will. the key is to find the cookie that is responsible for maintaining state. hope this helps? if not let me know and i can email you directly. also thanks for the positive comment.

]]> By: alan http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-627 alan Tue, 28 Apr 2009 16:54:38 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-627 Great walkthrough on session ids. You mentioned that there is an issues with analysis when you don't log out of session which you were going to touch on. Did I miss that in the article? Great walkthrough on session ids. You mentioned that there is an issues with analysis when you don’t log out of session which you were going to touch on. Did I miss that in the article?

]]> By: Lily Bu http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-431 Lily Bu Sun, 29 Mar 2009 15:00:48 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-431 Great, I like this one, especially the video about cookie analysis. Great, I like this one, especially the video about cookie analysis.

]]> By: LalKumar http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/comment-page-1/#comment-57 LalKumar Mon, 18 Feb 2008 07:28:27 +0000 http://travisaltman.com/webscarab-tutorial-part-2-sessiond-id-analysis/#comment-57 U done a great job with excellent presentations. U done a great job with excellent presentations.

]]>