[23125] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Brute-Forcing Web Application Session IDs

daemon@ATHENA.MIT.EDU (dendler@idefense.com)
Tue Nov 13 11:54:45 2001

From: dendler@idefense.com
To: bugtraq@securityfocus.com, webappsec@securityfocus.com,
        pen-test@securityfocus.com, secpapers@securityfocus.com
Date: Tue, 13 Nov 2001 09:52:53 -0500
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Message-ID: <3BF0ED75.4920.5548D03@localhost>

Hello,

iDEFENSE Labs has released a paper entitled "Brute-Force
Exploitation of Web Application Session IDs." It covers the basics
of brute-forcing web applications through guessing or reverse
engineering state session IDs which are often used for
authentication purposes. Several examples are shown using some
familiar web sites and applications on how stealing or mimicking a
legitimate user's credentials is possible. All relevant vendors and
site administrators were informed responsibly before publication.

The paper is available at http://www.idefense.com/sessionids.html

David Endler
Director, iDEFENSE Labs
dendler@idefense.com
www.idefense.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[23125] in bugtraq

Brute-Forcing Web Application Session IDs

daemon@ATHENA.MIT.EDU (dendler@idefense.com)Tue Nov 13 11:54:45 2001

daemon@ATHENA.MIT.EDU (dendler@idefense.com)
Tue Nov 13 11:54:45 2001