If any hashes match, the attacker knows that
sequential numbers are being used and can compromise any session ID they wish.
Another example of bad session ID generation is the use of some user-specific data
concatenated with another source of data. Often, a session ID such as this is generated by
concatenating the username with a timestamp, with the result being Base64 encoded and
then used as the session ID. This method is considered highly insecure because it is very
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 167
easy for an attacker to notice this by analyzing multiple session IDs. When an attacker
looks at a series of cookies generated in this way, he will notice that while the first several
characters of the cookie changes on a per-user basis, the rest of the characters change
on a per-session basis. This is quickly deduced by an attacker to be a username and timestamp
combination, which can be easily spoofed.
Additionally, some developers build on the previous example of using an username
and timestamp combination, but then run the result through a hash function before
Base64 encoding it. It is often believed that this adds significant security, because the
result now appears random each time.
Pages:
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313