Stompy – The Web Application Session Analyzer Tool


A new tool dealing with web sessions was recently announced, it’s called stompy, a free tool to perform a fairly detailed black-box assessment of WWW session identifier generation algorithms. Session IDs are commonly used to track authenticated users, and as such, whenever they’re predictable or simply vulnerable to brute-force attacks, we do have a problem.

The tool has already revealed several problems in proprietary software platforms such as BEA WebLogic and Sun Java System Web Server (both have problems with their JSESSIONIDs).

Why bother?

Some session ID cookie generation mechanisms are well-studied and well-documented, and believed to be cryptographically secure (example: Apache Tomcat, PHP, ASP.NET builtins). This is not necessarily so for certain less researched enterprise web platforms – and almost never so for custom solutions that are frequently implemented inside the web application itself.

Yet, while there are several nice GUI-based tools designed to analyze HTTP cookies for common problems (Daves’ WebScarab, SPI Cookie Cruncher, Foundstone CookieDigger, etc), they all seem to rely on very trivial, if any, tests when it comes to unpredictability (“alphabet distribution” or “average bits changed” are top shelf); this functionality is often not better than a quick pen-and-paper analysis, and can’t be routinely used to tell a highly vulnerable linear congruent PRNG (rand()) from a well-implemented MD5 hash system (/dev/urandom).

What’s cool?

In order to have a fully automated, hands-off tool to reliably detect anomalies that are not readily apparent at a first glance stompy:

  • Automatically finds session IDs encoded as URLs, cookies, and in form inputs, then collects a statistically significant sample of data
  • Determines alphabet structure to transparently handle base64, uuencode, base32, hex, and any other sane encoding scheme without user intervention
  • Translates the data to isolated time-domain bitstreams to examine how SID bits at each position change in time,
  • Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample
  • Runs an array of n-dimensional phase space tests to find deterministic correlations, PRNG hyperplanes, etc, etc.

Of course, the tool cannot prove the correctness of an implementation, and it is possible to devise predictable, cryptographically unsafe PRNGs that would pass these tests; still, the tool can find plenty of problems and oddities.

Stompy was updated due to feedback and:

  • It now supports SSL connections, custom-crafted requests including POSTs, and input from external sources (for evaluation of non-WWW tokens of any type)
  • It now uses GNU MP library to losslessly handle alphabets that do not directly map to binary (this is big)
  • Can run spatial correlation checks as well as temporal analysis of bitstreams in acquired samples
  • The output is much more readable, some minor bugs were fixed.

The latest version of Stompy can be downloaded here:

http://lcamtuf.coredump.cx/stompy.tgz

Posted in: Hacking Tools, Web Hacking

, ,


Latest Posts:


zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Sandcastle is an Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target's name as the stem argument (e.g. shopify).
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network


Comments are closed.