X-From-Line: maildir Tue Nov 13 17:44:45 2001 Return-Path: Delivered-To: fte@lightwerk.com Received: (qmail 11773 invoked from network); 13 Nov 2001 16:36:17 -0000 Received: from unknown (HELO outgoing.securityfocus.com) (66.38.151.27) by dns.tegtmeyer.com with SMTP; 13 Nov 2001 16:36:17 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 9833AA311E; Tue, 13 Nov 2001 09:30:38 -0700 (MST) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 28719 invoked from network); 13 Nov 2001 14:52:43 -0000 From: dendler@idefense.com To: bugtraq@securityfocus.com, webappsec@securityfocus.com, pen-test@securityfocus.com, secpapers@securityfocus.com Date: Tue, 13 Nov 2001 09:52:53 -0500 Subject: Brute-Forcing Web Application Session IDs Message-ID: <3BF0ED75.4920.5548D03@localhost> Lines: 19 Xref: westkapp.wb.lightwerk.com BUGTRAQ:2790 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hello, iDEFENSE Labs has released a paper entitled "Brute-Force Exploitation of Web Application Session IDs." It covers the basics of brute-forcing web applications through guessing or reverse engineering state session IDs which are often used for authentication purposes. Several examples are shown using some familiar web sites and applications on how stealing or mimicking a legitimate user's credentials is possible. All relevant vendors and site administrators were informed responsibly before publication. The paper is available at http://www.idefense.com/sessionids.html David Endler Director, iDEFENSE Labs dendler@idefense.com www.idefense.com