Re: stompy the session stomper

bugtraq

Re: stompy the session stomper - tool availability

To:	Michal Zalewski <lcamtuf@dione.ids.pl>
Subject:	Re: stompy the session stomper - tool availability
From:	Rogan Dawes <lists@dawes.za.net>
Date:	Sun, 28 Jan 2007 09:01:13 +0200
Cc:	webappsec@securityfocus.com, pentest@securityfocus.com, bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<Pine.LNX.4.58.0701261830530.30421@dione>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
References:	<Pine.LNX.4.58.0701261830530.30421@dione>
User-agent:	Thunderbird 1.5.0.9 (X11/20070103)

Michal Zalewski wrote:

Hi all,

I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms. Session IDs are commonly used to track
authenticated users, and as such, whenever they're predictable or simply
vulnerable to brute-force attacks, we do have a problem.

[snip]

Yet, while there are several nice GUI-based tools designed to analyze HTTP
cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher,

Just wanted to point out that Dave has had nothing to do with WebScarab(and that I recognise that WebScarab's analysis is pretty trivial).Would you have any objection to me including/porting Stompy's analysisportion into WebScarab, to make it more accessible to folk?


Regards,

Rogan Dawes
WebScarab author

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
stompy the session stomper - tool availability, Michal Zalewski Re: stompy the session stomper - tool availability, Rogan Dawes <= Re: stompy the session stomper - tool availability, Michal Zalewski Re: stompy the session stomper - tool availability, Michal Zalewski

Previous by Date:	Phorum HTML Injection Vulnerability, DoZ
Next by Date:	gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability, trzindan
Previous by Thread:	stompy the session stomper - tool availability, Michal Zalewski
Next by Thread:	Re: stompy the session stomper - tool availability, Michal Zalewski
Indexes:	[Date] [Thread] [Top] [All Lists]