I’m not aware of any weakness. The method that generates the id is in WOUniqueIDGenerator.longUniqueID(long) method.
If there is an issue, you could pretty easily fix it in your session constructor:
public MySession() {
super(myRandomUUIDGenerator());
}
Then again, if you know it is happening, you could have some fun with it.
Create a session with the ID they submit. Then they always succeed! You could drop ERXModernizr on them and see a) if _javascript_ is enabled, and if so b) what their potential client side capabilities/vulnerabilities are. If _javascript_ is disabled, that
limits the amount of fun you can have with them, but other things will still work. For instance, you could initiate a gzip bomb that will fill their disk with zeros until they run out of disk space.
Use your imagination :D
On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH <
email@hidden> wrote:
Hi,
for quite some time someone is fireing on one of my customers WebObjects applications,
that very much looks like a bot net.
The firing occurs always on the same instance and the same WO action for each request, its
trying another session id. So this looks like someone is doing a brute force
attack to guess a valid session id.
So I am wondering: is there a known weakness in the randomness of generated session ids,
that is making this (guessing a valid session id) possible at all?
Regards, Markus
they are obviously not respecting the robots.txt and the observed behaviour does not match
the expected behaviour for a crawler/bot
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Help/Unsubscribe/Update your Subscription:
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Help/Unsubscribe/Update your Subscription: