Was running a penetration scan against our A4D website, and one of the warnings pertained to predictable session ID's. From the A4D docs, I found the following:
- The 32-bit internal session ID is mixed with random data and encrypted to generate a
16-character cookie string.
- The encryption key is randomly selected each time the 4D is restarted.
This sounds pretty good. Is this warning below just a blanket statement made to any website using sessions?
Many Web sites support the idea of user sessions. Each user connecting to the site is issued a unique session ID, which is then used to identify all subsequent requests made by that user, either encoded in the URLs, or as a cookie. The server can then store data for each user session such as the state of a Web shopping cart. Session IDs are also often used to control access to sites requiring a login. Instead of sending the username/password with every request, the site issues a session ID after the user logs on, and the session ID identifies the user for the rest of the session.
With some server session management systems, it's possible for a user, who can connect to the server and get a session ID, to guess other users' session IDs. If successful, the attacker can then view any page, take any action, post to any form etc. as the real user of that session.
This attack requires no IP spoofing or session snooping. It works against sites using SSL.
The following links provide more information about this vulnerability:
[ Netcraft Security Advisory 2001-01.1 - Predictable Session IDs ]( http://news.netcraft.com/archives/2003/01/01/security_advisory_2001011_predictable_session_ids.html )
[ Cookie Encyclopedia - Predictable Session IDs ]( http://www.pdos.lcs.mit.edu/cookies/seq_sessionid.html )
[ Brute-Force Exploitation of Web Application Session IDs ]( http://www.cgisecurity.com/lib/SessionIDs.pdf )
Active4D-dev mailing list
[hidden email] http://list.aparajitaworld.com/listinfo/active4d-dev Archives: http://active4d-nabble.aparajitaworld.com/