A new tool dealing with web sessions was recently announced, it’s called stompy, a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms. Session IDs are commonly used to track authenticated users, and as such, whenever they’re predictable or simply vulnerable to brute-force attacks, we do have a problem.

The tool has already revealed several problems in proprietary software platforms such as BEA WebLogic and Sun Java System Web Server (both have problems with their JSESSIONIDs).

Why bother?

Some session ID cookie generation mechanisms are well-studied and well-documented, and believed to be cryptographically secure (example: Apache Tomcat, PHP, ASP.NET builtins). This is not necessarily so for certain less researched enterprise web platforms – and almost never so for custom solutions that are frequently implemented inside the web application itself.

Yet, while there are several nice GUI-based tools designed to analyze HTTP cookies for common problems (Daves’ WebScarab, SPI Cookie Cruncher, Foundstone CookieDigger, etc), they all seem to rely on very trivial, if any, tests when it comes to unpredictability (“alphabet distribution” or “average bits changed” are top shelf); this functionality is often not better than a quick pen-and-paper analysis, and can’t be routinely used to tell a highly vulnerable linear congruent PRNG (rand()) from a well-implemented MD5 hash system (/dev/urandom).

What’s cool?

In order to have a fully automated, hands-off tool to reliably detect anomalies that are not readily apparent at a first glance stompy:

• Automatically finds session IDs encoded as URLs, cookies, and in form inputs, then collects a statistically significant sample of data
• Determines alphabet structure to transparently handle base64, uuencode, base32, hex, and any other sane encoding scheme without user intervention
• Translates the data to isolated time-domain bitstreams to examine how SID bits at each position change in time,
• Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample
• Runs an array of n-dimensional phase space tests to find deterministic correlations, PRNG hyperplanes, etc, etc.

Of course, the tool cannot prove the correctness of an implementation, and it is possible to devise predictable, cryptographically unsafe PRNGs that would pass these tests; still, the tool can find plenty of problems and oddities.

Stompy was updated due to feedback and:

• It now supports SSL connections, custom-crafted requests including POSTs, and input from external sources (for evaluation of non-WWW tokens of any type)
• It now uses GNU MP library to losslessly handle alphabets that do not directly map to binary (this is big)
• Can run spatial correlation checks as well as temporal analysis of bitstreams in acquired samples
• The output is much more readable, some minor bugs were fixed.

The latest version of Stompy can be downloaded here:

http://lcamtuf.coredump.cx/stompy.tgz