Software QA FYI - SQAFYI

How to test session identifier strength with WebScarab

By:

How to test session identifier strength with WebScarab

Contents
* 1 Objective
* 2 Approach
* 3 Collecting session identifiers
* 4 Analysing the results
* 5 Looking at the graph
o 5.1 Plotting the results in an external program
o 5.2 Caveats on Predictability and Randomness

Objective
To collect and examine a reasonably large sample of session identifiers, to determine if they could be vulnerable to prediction, or brute force attacks.
Approach
Identify a request that generates a suitable session identifier. For example, if the identifier is supplied in a cookie, look for responses that include Set-Cookie headers, then use the request repeatedly to obtain more session identifiers. We will then perform some analysis on the resulting series of identifiers. The WebScarab SessionID analysis plugin currently converts the session identifier into a large integer, using a per-position base-conversion algorithm. I'll explain more about the algorithm later, once we have collected some results.
Collecting session identifiers
It is possible to collect session identifiers from both Set-Cookie headers, as well as from within the body of the response. WebScarab will collect all identifiers from all cookies if the radio button is set to "Cookies". It is not necessary to provide a name for the session identifier, as WebScarab will use the site name, path and cookie name to construct a unique identifier. If you choose to extract session identifiers from the body of the response, you have to give it a unique name, and provide a regular expression that defines which part of the response body is considered to be the identifier. This is typically done by using ".*" to indicate all characters leading up to some unique surrounding text, followed by that unique text, then a pattern surrounded by a regex group (e.g. "(....)" would take 4 characters), finally followed by ".*" again to indicate all characters to the end of the body text.

For a more concrete example, let's suppose that the identifier is in a URL query parameter in the body text, and the url parameter is called "id". An example might look like: http://www.example.com/loggedin.aspx?id=<10 alphanumeric characters>

A suitable regex might be: .*loggedin.aspx\?id=(.{10}).*
In order to check that your regular expression is actually correctly matching the text in the response, use the "Test" button to show what would be extracted. The results of the test are not stored for later use.

Once you are satisfied with your configuration, simply enter the number of samples desired, and press "Go". If you decide to interrupt the collection process, you can do so by requesting 0 samples, and pressing "Fetch" again.
Analysing the results
As mentioned earlier, WebScarab uses a per-position base-conversion algorithm to convert a string into a number. What this really means is that the string is converted to a number using the same approach that one uses to convert a number of one base (e.g. hex - base 16) to another (e.g. decimal - base 10). The major difference is that the base can change for each position/index, according to what characters have actually been observed in that position throughout the sampled series. This means that if you have a constant character in the middle of your series, the base ends up being "1", the only possible value in a base-1 number system is 0, and so the constant character plays no part in actually calculating the numerical value of the total.

Here is a worked example, on a small scale.
Assuming we have the following session ids:
AAAA
AAAC
ABAB
ABAD

Starting from the left-most column (MSB), we have the following observed character sets:
1: "A"
2: "A", "B"
3: "A"
4: "A", "B", "C", "D"

So, our bases are, in order (1,2,1,4).
Let's calculate the value of each id. In order to translate each character to a number, we use its zero-based position in the sorted character set:
AAAA = 0 * (2*1*4) + 0 * (1*4) + 0 * (4) + 0 = 0
AAAC = 0 * (2*1*4) + 0 * (1*4) + 0 * (4) + 2 = 2
ABAB = 0 * (2*1*4) + 1 * (1*4) + 0 * (4) + 1 = 5
ABAD = 0 * (2*1*4) + 1 * (1*4) + 0 * (4) + 3 = 7

Full article...


Other Resource

... to read more articles, visit http://sqa.fyicenter.com/art/

How to test session identifier strength with WebScarab