3S Labs Banner

Thursday, May 3, 2012

The Entropy Entropy

Recently while conducting a Web Application Penetration Test for a client, among usual vulnerabilities like SQL Injection, XSS etc we found rather a very interesting issue related to session cookie management and session cookie prediction.

The session cookie looked something like this:

010239E505D30CE1CE08FE39FF76EB0EE1CE08000A750073006500720000012F00FF

Initially we assumed the string to be of some encoded form of user data however upon analyzing a set of such samples we discovered a pattern in the string and were able to align multiple sets of such samples to discover related blocks.

010|239E505D30CE1CE08FE39FF76EB0E|E1CE08000A|7500730065007200|00012F00FF

Later upon analysis we found each component to be as below:

c1: 010: [Constant]
c2: 239E505D30CE1CE08FE39FF76EB0E: [Hash of Temporal Data perhaps]
c3: E1CE08000A: [UserId or some Serial Data]
c4: 7500730065007200 [hex encoded user name]
c5: 00012F00FF: [Constant]

Upon further investigation and some trial and error we found it was possible to re-use the c2 component of one user for another user which effectively means there is hardly any entropy or randomness in the session identifier other than predicting the user id (c3) and user name (c4). Since the user-id in turn is serial in nature it will be trivial for one user to log in as another user based on the target user's username and some brute force of the user id.

No comments:

Post a Comment