• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Session-ID randomness
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Session-ID randomness

  • Subject: Re: Session-ID randomness
  • From: Ramsey Gurley <email@hidden>
  • Date: Mon, 24 Mar 2014 11:28:48 -0700
I’m not aware of any weakness. The method that generates the id is in WOUniqueIDGenerator.longUniqueID(long) method.

If there is an issue, you could pretty easily fix it in your session constructor:

public MySession() {
	super(myRandomUUIDGenerator());
}

Then again, if you know it is happening, you could have some fun with it.

Create a session with the ID they submit. Then they always succeed! You could drop ERXModernizr on them and see a) if javascript is enabled, and if so b) what their potential client side capabilities/vulnerabilities are. If javascript is disabled, that limits the amount of fun you can have with them, but other things will still work. For instance, you could initiate a gzip bomb that will fill their disk with zeros until they run out of disk space.

Use your imagination :D


On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH <email@hidden> wrote:

> Hi,
>
> for quite some time someone is fireing on one of my customers WebObjects applications,
> that very much looks like a bot net.
>
> The firing occurs always on the same instance and the same WO action for each request, its
> trying another session id. So this looks like someone is doing a brute force
> attack to guess a valid session id.
>
> So I am wondering: is there a known weakness in the randomness of generated session ids,
> that is making this (guessing a valid session id) possible at all?
>
> Regards, Markus
>
> PS: the attacker is using this user agent: "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
>    they are obviously not respecting the robots.txt and the observed behaviour does not match
>    the expected behaviour for a crawler/bot
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list      (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Session-ID randomness
      • From: Chuck Hill <email@hidden>
References: 
 >ERXObjectStoreCoordinator dispose not releasing database connection? (From: John Pollard <email@hidden>)
 >Re: ERXObjectStoreCoordinator dispose not releasing database connection? (From: Aaron Rosenzweig <email@hidden>)
 >Re: ERXObjectStoreCoordinator dispose not releasing database connection? (From: John Pollard <email@hidden>)
 >Re: ERXObjectStoreCoordinator dispose not releasing database connection? (From: John Pollard <email@hidden>)

  • Prev by Date: Re: Session-ID randomness
  • Next by Date: Re: Session-ID randomness
  • Previous by thread: Re: Session-ID randomness
  • Next by thread: Re: Session-ID randomness
  • Index(es):
    • Date
    • Thread