Web Security Testing : Manipulating Sessions - Analyzing Session Identifiers with Burp

8/13/2011 3:50:56 PM

1. Problem

If the session identifier can be predicted, an attacker can steal the next user’s session and thus impersonate the user. Random, unpredictable session identifiers are crucial to the security of a web application. Analyzing randomness can be a difficult statistical procedure. Fortunately there is a handy tool, the Burp suite, that can aid in this test.

2. Solution

Fire up the Burp suite and configure the proxy for use with Firefox . Turn the automatic intercept option off. Then, navigate to your web application. Once Burp has recorded a request and response from your web application in the proxy history, right-click on the request and select “send to sequencer,” as shown in Figure 1.

Figure 1. Sending a request to the Burp sequencer

The Sequencer tab will light up red; go ahead and click on it. Sometimes the Burp sequencer can identify the session identifier (it refers to it as the “token”) on its own; if not, you’ll have to highlight the session identifier yourself within the server response. Burp will pick it up from there.

If you’re unable to find a session identifier, it’s likely because the server didn’t set one via that response. Navigate to wherever in your site session cookies are first set. If you don’t know where that is, open the Edit Cookies extension, set the filter to your site, and delete all known cookies. Then, after browsing to each new page, refresh Edit Cookies to display cookies for your site again—if one shows up, you know it was set on this particular page response.

Once you have a session identifier located within Burp sequencer, press the Start Capture button on the lower right. This will send repeated requests to your application, retrieving a new session identifier each time. Capture a statistically viable number of session identifiers (we recommend 10,000—but 100 will work for a demonstration).

Once a sizable enough sample has been collected, pause the collection and select the Analyze Now button.

The results will contain a great deal of statistics, but the general summary is contained within the first page, shown in Figure 2. In fact, the first line will tell you mostly what you need to know. It will read that “The overall quality of randomness within the sample is estimated to be:” very good, good, reasonable, poor, or very poor. The rest of the statistics are there if you need them.

Figure 2. Burp sequencer results

3. Discussion

The Burp sequencer can’t provide 100% assurance that your session IDs are truly random. That would take an advanced degree relating to statistics and information theory, towards the beginning of which you’d learn that 100% assurance is impossible. Meanwhile, if you don’t have time for an advanced degree, the Burp sequencer provides extremely comprehensive analysis. It shouldn’t be trusted absolutely, but given the choice between no statistical analysis and Burp, you should at least try Burp.

Ensuring session-identifier randomness can be difficult. The randomness will usually be determined by the framework. Fortunately, this test can be performed as soon as a session is set, even if not a single page of the application is working. If the developers build a “Hello World” page that sets a session ID, you can run this test—long before any problems relating to sessions start to become important. Because it can be done so early, this recipe makes an excellent test to evaluate a framework.

  •  Programming .NET Security : Extending the .NET Framework (part 2) - Defining the Key Exchange Deformatter
  •  Programming .NET Security : Extending the .NET Framework (part 1) - Defining the Key Exchange Formatter
  •  Programming .NET Security : Programming Cryptographic Keys (part 3) - Key Exchange Formatting
  •  Programming .NET Security : Programming Cryptographic Keys (part 2) - Using Key Persistence
  •  Programming .NET Security : Programming Cryptographic Keys (part 1) - Creating Keys
  •  Deploying a Windows Server 2008 R2 Network Policy Server
  •  Understanding Network Access Protection (NAP) in Windows Server 2008 R2
  •  Programming .NET Security : Cryptographic Keys Explained
  •  Windows Server 2008 : Transport-Level Security - Using IPSec Encryption with Windows Server 2008 R2
  •  Windows Server 2008 : Transport-Level Security - Active Directory Rights Management Services
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8