Zeroday 01100100011010010

I realized a few days ago that I have not kept up on web pen testing techniques lately and have been falling behind. I picked up a copy of “The Art of Software Security Testing” and started reading through the chapters. The XSS and SQL injection examples were interesting although a little too basic for my taste. The session ID mapping caught my eye since I don’t have much expierence with visualizing data. After reading through the example I poked around online and found the OWASP WebScarab project had really gone above and beyond where it was a year or two ago. The tool now meets or exceeds the functionality of Webproxy (now disappeared by Symantec). In particular there is a great built in SessionID analyzer which grabs the sessionID and then generates more. A graph is then generated from these results. I decided to take a look at a wikimedia server since I run one. The sessionID are sufficiently complex!

For those not familiar with this technique it involves taking the sessionID values and converting them into numbers then plotting the results. The human eye is fantastic at detecting patterns that computers don’t “see”. Another commercial site I was browsing around on earlier used an internal ID tracker (not the sessionID thankfully) and the values were incremented predictably. The result on the graph was a slanted line pointing up at about 45 degrees.