Web Security Testing : Manipulating Sessions - Analyzing Session Identifiers with Burp

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Problem

If the session identifier can be predicted, an attacker can steal the next user’s session and thus impersonate the user. Random, unpredictable session identifiers are crucial to the security of a web application. Analyzing randomness can be a difficult statistical procedure. Fortunately there is a handy tool, the Burp suite, that can aid in this test.

2. Solution

Fire up the Burp suite and configure the proxy for use with Firefox . Turn the automatic intercept option off. Then, navigate to your web application. Once Burp has recorded a request and response from your web application in the proxy history, right-click on the request and select “send to sequencer,” as shown in Figure 1.

Figure 1. Sending a request to the Burp sequencer

The Sequencer tab will light up red; go ahead and click on it. Sometimes the Burp sequencer can identify the session identifier (it refers to it as the “token”) on its own; if not, you’ll have to highlight the session identifier yourself within the server response. Burp will pick it up from there.

If you’re unable to find a session identifier, it’s likely because the server didn’t set one via that response. Navigate to wherever in your site session cookies are first set. If you don’t know where that is, open the Edit Cookies extension, set the filter to your site, and delete all known cookies. Then, after browsing to each new page, refresh Edit Cookies to display cookies for your site again—if one shows up, you know it was set on this particular page response.

Once you have a session identifier located within Burp sequencer, press the Start Capture button on the lower right. This will send repeated requests to your application, retrieving a new session identifier each time. Capture a statistically viable number of session identifiers (we recommend 10,000—but 100 will work for a demonstration).

Once a sizable enough sample has been collected, pause the collection and select the Analyze Now button.

The results will contain a great deal of statistics, but the general summary is contained within the first page, shown in Figure 2. In fact, the first line will tell you mostly what you need to know. It will read that “The overall quality of randomness within the sample is estimated to be:” very good, good, reasonable, poor, or very poor. The rest of the statistics are there if you need them.

Figure 2. Burp sequencer results

3. Discussion

The Burp sequencer can’t provide 100% assurance that your session IDs are truly random. That would take an advanced degree relating to statistics and information theory, towards the beginning of which you’d learn that 100% assurance is impossible. Meanwhile, if you don’t have time for an advanced degree, the Burp sequencer provides extremely comprehensive analysis. It shouldn’t be trusted absolutely, but given the choice between no statistical analysis and Burp, you should at least try Burp.

Ensuring session-identifier randomness can be difficult. The randomness will usually be determined by the framework. Fortunately, this test can be performed as soon as a session is set, even if not a single page of the application is working. If the developers build a “Hello World” page that sets a session ID, you can run this test—long before any problems relating to sessions start to become important. Because it can be done so early, this recipe makes an excellent test to evaluate a framework.

  •  Programming .NET Security : Extending the .NET Framework (part 2) - Defining the Key Exchange Deformatter
  •  Programming .NET Security : Extending the .NET Framework (part 1) - Defining the Key Exchange Formatter
  •  Programming .NET Security : Programming Cryptographic Keys (part 3) - Key Exchange Formatting
  •  Programming .NET Security : Programming Cryptographic Keys (part 2) - Using Key Persistence
  •  Programming .NET Security : Programming Cryptographic Keys (part 1) - Creating Keys
  •  Deploying a Windows Server 2008 R2 Network Policy Server
  •  Understanding Network Access Protection (NAP) in Windows Server 2008 R2
  •  Programming .NET Security : Cryptographic Keys Explained
  •  Windows Server 2008 : Transport-Level Security - Using IPSec Encryption with Windows Server 2008 R2
  •  Windows Server 2008 : Transport-Level Security - Active Directory Rights Management Services
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us