If you are trying to make the compelling argument that your
session IDs are weak, WebScarab makes a very nice presentation. While
Burp has a stronger statistical method of determining session-identifier
randomness, WebScarab makes patterns in session identifiers visually
Open WebScarab and configure Firefox to use it as a proxy,. Browse in your
application to pages that you think use session identifiers. Login pages
or pages that are restricted by authorization are good places to start.
It usually doesn’t matter which specific function you do, as long as
WebScarab can get unique session IDs each time it requests a page at
that URL. Generally speaking, session IDs are usually generated the same
way throughout an application, so finding a problem in one place is
Figure 1. Finding Set-Cookie headers with WebScarab
Select the Summary pane in WebScarab and look in the Set-Cookie
column. Figure 1 shows this summary pane.
Request ID 9 is highlighted because it is one of many that have cookies.
We will use this request as our request to analyze.
Select WebScarab’s “SessionID Analysis” pane and look at the
“Collection” tab within that pane. Click the drop down next to “Previous
Requests” and select the request that will set the session ID. Figure 2 shows the list, with request 9
selected. Once you’ve selected an appropriate request, press the Test
button. This will bring up a message indicating all the session IDs
WebScarab was able to find automatically within that request. Figure 3 shows the result of such a test. Two
cookies are visible in this Set-Cookie header: phpMyAdmin and pma_fontsize. The fact that the contents of
phpMyAdmin are opaque strings like
z316wV-lrq0w%2C-8lPF6-uvObKdf and the
fact that the other parameter’s name suggests that it controls font size
leads us to focus on phpMyAdmin.
Figure 2. Selecting the request to test for session IDs
Figure 3. Testing a request for session IDs
Once you’ve found an appropriate session ID to model, enter a
sample size. We recommend at least 500 or more for a smooth graph. It’s
better to do 1,000 or 2,000 if you can. Then click the Fetch button to
initiate the requests. Each will receive a different session
To see the graph, you must first go to the Analysis tab and select
the session identifier you’d like to visualize. Figure 4 shows the Analysis tab, with our
phpMyAdmin cookie selected. Select
that from the drop down options. There may be only one session
identifier available; that’s fine. With your session identifier set,
click on the Visualization tab. If WebScarab is still fetching session
identifiers, you’ll see them show up in real time on this graph—a
powerful demonstration in itself. Furthermore, there should be no
obvious pattern in the visualization graph. If there is, it’s likely the
session identifiers are easily predictable.
Figure 4. Choosing the session ID to plot
WebScarab’s analysis of session identifiers, while statistically
weaker than Burp’s, provides a much more convincing diagram. Some
patterns are readily apparent in the graph of session identifiers over
time. Figure 5 shows a real web server that has
relatively predictable identifiers. They’re not as bad as
sequentially issued integers, but with some effort a hacker could
develop a program to predict them. This sort of graph can provide the
extra step you need to demonstrate predictability. A clearly visible
pattern makes a stronger impression than statistical confidence
Figure 5. WebScarab visualization: relatively predictable
Consider the ten session IDs shown in Example 1. Visually inspecting them, you might
think they were pretty random. Aside from the LL6H at the beginning of each, they are very
long and they appear to have lots of randomness. They are from the same
site that produced the graph in Figure 5, however,
which shows how a little visualization can go a long way towards making
the pattern clear.
Example 1. Session IDs from WebScarab
Clear lines or shapes within the graph indicate poor
randomization. When testing an application, it’s easy to get
pseudorandom results and not see an obvious pattern. Laying out the
results in such a graph reveals some (but not all) patterns immediately.
Truly comprehensive analysis requires statistical analysis, such as the
methods used by Burp.
Note that WebScarab will find all sorts of identifiers inside
cookies, not just session identifiers. It may also find non-random
identifiers that record visitor details. Not every cookie value needs to
be random. Don’t be alarmed if one of the identifiers you select for
visualization is a flat, completely predictable line. It may just be a
non-unique token, rather than a session identifier.
That said, some applications will implement multiple session
identifiers to track different behaviors. If you do find an alternate
pseudosession identifier, such as “visitor number,” go ahead and examine
the predictability. It may be that by tampering with some other
identifier, one is able to trick the application into doing something
non-session related, but still just as problematic.
Figure 6 shows an example of a session
identifier that does not appear, visually, to be predictable. Remember
that your application can fail this test, but
cannot pass it. That is, just because your session IDs are not obviously
predictable from visual inspection doesn’t mean they’re random.
Figure 6. WebScarab visualization: unpredictable