Re: Session-ID randomness
Re: Session-ID randomness
- Subject: Re: Session-ID randomness
- From: Jesse Tayler <email@hidden>
- Date: Mon, 24 Mar 2014 09:55:51 -0400
that would not be easy to do, but mostly you can make sure your sessions have a timeout and max-life set so that there’s limits to anyone getting their hands on one.
I’ve not heard of one being guessed before, but I’m sure there’s mathematics to suggest the theoretical limits based on characters in the hash there…
if you can spot a reliable IP, you might black or brown list it?
On Mar 24, 2014, at 6:08 AM, Markus Stoll, junidas GmbH <email@hidden> wrote:
> Hi,
>
> for quite some time someone is fireing on one of my customers WebObjects applications,
> that very much looks like a bot net.
>
> The firing occurs always on the same instance and the same WO action for each request, its
> trying another session id. So this looks like someone is doing a brute force
> attack to guess a valid session id.
>
> So I am wondering: is there a known weakness in the randomness of generated session ids,
> that is making this (guessing a valid session id) possible at all?
>
> Regards, Markus
>
> PS: the attacker is using this user agent: "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
> they are obviously not respecting the robots.txt and the observed behaviour does not match
> the expected behaviour for a crawler/bot
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden