ExploitingSessionIDs.pdf

Page 1 of 40 iALERT White Paper: “Brute-Force Exploitation of Web Application Session IDs” Copyright © 2001, iDEFENSE Inc. iDEFENSE and iALERT are Service Marks for iDEFENSE Inc. iALERT White Paper Brute-Force Exploitation of Web Application Session IDs By David Endler Director, iDEFENSE Labs dendler@idefense.com November 1, 2001 iDEFENSE Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 Main: 703-961-1070 Fax: 703-961-1071 http://www.idefense.com Copyright © 2001, iDEFENSE Inc. “The Power of Intelligence” is trademarked by iDEFENSE Inc. iDEFENSE and iALERT are Service Marks of iDEFENSE Inc. Page 2 of 40 iALERT White Paper: “Brute-Force Exploitation of Web Application Session IDs” Copyright © 2001, iDEFENSE Inc. iDEFENSE and iALERT are Service Marks for iDEFENSE Inc. TABLE OF CONTENTS Introduction ............................................................................................................. 3 Session IDs................................................................................................................ 4 Some Session ID Examples .............................................................................................. 4 COOKIES ..................................................................................................................................................4 STATIC URL WITH SESSION ID ..................................................................................................................5 HIDDEN INPUT FIELDS WITH SESSION ID ..................................................................................................5 Susceptibility of Session IDs to Attack.................................................................. 6 Session ID Exploitation Mechanics........................................................................ 8 A URL Session ID Cracking Example.................................................................................. 8 Bring on the Perl .....