Figure 6-6 Cookie values appear to be random.
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 169
3. Connect to the target site in the web browser. In this case, the site http://labs
.isecpartners.com/HackingExposed20/timestamp_cookie.php is used.
4. Check the WebScarab summary to ensure that a cookie has been set in the
Set-Cookie column. Note the ID number of this request.
170 Hacking Exposed Web 2.0
5. Click the SessionID Analysis button at the top of WebScarab. In the Previous
Requests drop down menu, select the request idea number noted in step 4.
Click the Test button at the bottom to ensure that WebScarab is able to identify
the Session ID in the request. If WebScarab identi?¬? es the Session ID, a box will
pop up con?¬? rming this.
6. After con?¬? rming that WebScarab can identify the Session ID, set the sample size
?¬? eld to 1000 queries and click the Fetch button to begin testing.
Chapter 6: AJAX Types, Discovery, and Parameter Manipulation 171
7. Once testing has begun, select the item in the Session Identi?¬? er drop-down
menu of the Analysis tab in the SessionID Analysis window.
172 Hacking Exposed Web 2.0
8. Finally, after selecting the Session ID, select the Visualisation tab of the
SessionID Analysis window to view a graph of the predictability of session IDs
in the target application.
Pages:
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315