[Security] something to do, session id weeknesses
Jonathan Moore
moore at eds.org
Tue Aug 25 20:23:26 UTC 2009
If people are looking for something do to session Id generation
weaknesses are ripe for the picking. One place to look is for uses of
java.util.random to generate session ids. Using google code search you
can find examples like this:
http://www.google.com/codesearch/p?hl=en&sa=N&cd=21&ct=rc#W2X0k6Vvd8A/trunk/src/java/org/apache/turbine/util/GenerateUniqueId.java&q=%2Bjava.util.random%20sessionid
which is almost certainly exploitable. The core of it is that
java.util.random is a modified linear congruential PRNG and they have
0 security. I have code that will turn any random long generate from
java.util.random in to the stream of longs that the PRNG will later
return. I am happy to share it with some one who wants to do research
on this stuff. I used it to crate a demo exploit for I live site which
I will not mention here as I do not know if they have ever fixed the
issue.
If some one has some time and wants to get some posts on bugtraq or
what ever this is a good project. I just don't have the time to be
bothered doing it my self.
-Jonathan
More information about the Security
mailing list