The Ugly
The simplest approach to session identification cookies is Base64 encoding a simple incremented
number such as a timestamp. To exploit a session identifier such as this, an
attacker needs to increment or decrement the number used as a session ID to find other
valid session IDs. While session cookies such as this are largely not seen anymore, simple
incremented cookies still occur occasionally and are by far the least secure method of
session identification generation. Figure 6-5 shows that using an incremented value
such as a timestamp is easily predictable in WebScarab.
The Bad
While making session identification cookies plainly obvious as a sequential number is
uncommon, a large number of equally bad cookie generation schemes are seen far more
often.
The first example of a bad cookie scheme is the case of simply extending the use of a
sequential number by wrapping a hash function around it and then Base64 encoding the
result. From a quick look at a cookie generated in this manner, it would appear secure as
if the session ID is now a random number each time. However, if an attacker encounters
a seemingly random session ID, one of the first attacks he will try is to run a hash functional
on a large sequential list of numbers.
Pages:
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312