Re: Session-ID randomness
Remind me to never click on a link for any of Ramsey’s applications that
includes the session ID…
:-)
Dave
On Mar 24, 2014, at 2:34 PM, Chuck Hill wrote:
> Ramsey, that is evil. I like that in man!
>
> On 2014-03-24, 11:28 AM, "Ramsey Gurley" wrote:
>
> I’m not aware of any weakness. The method that generates the id is in
> WOUniqueIDGenerator.longUniqueID(long) method.
>
> If there is an issue, you could pretty easily fix it in your session
> constructor:
>
> public MySession() {
> super(myRandomUUIDGenerator());
> }
>
> Then again, if you know it is happening, you could have some fun with it.
>
> Create a session with the ID they submit. Then they always succeed! You could
> drop ERXModernizr on them and see a) if javascript is enabled, and if so b)
> what their potential client side capabilities/vulnerabilities are. If
> javascript is disabled, that limits the amount of fun you can have with them,
> but other things will still work. For instance, you could initiate a gzip
> bomb that will fill their disk with zeros until they run out of disk space.
>
> Use your imagination :D
>
>
> On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH
> wrote:
>
> Hi,
> for quite some time someone is fireing on one of my customers WebObjects
> applications,
> that very much looks like a bot net.
> The firing occurs always on the same instance and the same WO action for each
> request, its
> trying another session id. So this looks like someone is doing a brute force
> attack to guess a valid session id.
> So I am wondering: is there a known weakness in the randomness of generated
> session ids,
> that is making this (guessing a valid session id) possible at all?
> Regards, Markus
> PS: the attacker is using this user agent:
> "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
> they are obviously not respecting the robots.txt and the observed
> behaviour does not match
> the expected behaviour for a crawler/bot
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
> This email sent to rgur...@smarthealth.com
>
>
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net
>
> This email sent to ch...@global-village.net
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/webobjects%40avendasora.com
>
> This email sent to webobje...@avendasora.com
—
WebObjects - so easy that even Dave Avendasora can do it!™
—
David Avendasora
Senior Software Abuser
Nekesto, Inc.
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
Re: Session-ID randomness
Ramsey, that is evil. I like that in man!
On 2014-03-24, 11:28 AM, "Ramsey Gurley" wrote:
I’m not aware of any weakness. The method that generates the id is in
WOUniqueIDGenerator.longUniqueID(long) method.
If there is an issue, you could pretty easily fix it in your session
constructor:
public MySession() {
super(myRandomUUIDGenerator());
}
Then again, if you know it is happening, you could have some fun with it.
Create a session with the ID they submit. Then they always succeed! You could
drop ERXModernizr on them and see a) if javascript is enabled, and if so b)
what their potential client side capabilities/vulnerabilities are. If
javascript is disabled, that limits the amount of fun you can have with them,
but other things will still work. For instance, you could initiate a gzip bomb
that will fill their disk with zeros until they run out of disk space.
Use your imagination :D
On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH
mailto:markus.st...@junidas.de>> wrote:
Hi,
for quite some time someone is fireing on one of my customers WebObjects
applications,
that very much looks like a bot net.
The firing occurs always on the same instance and the same WO action for each
request, its
trying another session id. So this looks like someone is doing a brute force
attack to guess a valid session id.
So I am wondering: is there a known weakness in the randomness of generated
session ids,
that is making this (guessing a valid session id) possible at all?
Regards, Markus
PS: the attacker is using this user agent:
"Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
they are obviously not respecting the robots.txt and the observed behaviour
does not match
the expected behaviour for a crawler/bot
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list
(Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
This email sent to rgur...@smarthealth.com
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list
(Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net
This email sent to ch...@global-village.net
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
Re: Session-ID randomness
I’m not aware of any weakness. The method that generates the id is in
WOUniqueIDGenerator.longUniqueID(long) method.
If there is an issue, you could pretty easily fix it in your session
constructor:
public MySession() {
super(myRandomUUIDGenerator());
}
Then again, if you know it is happening, you could have some fun with it.
Create a session with the ID they submit. Then they always succeed! You could
drop ERXModernizr on them and see a) if javascript is enabled, and if so b)
what their potential client side capabilities/vulnerabilities are. If
javascript is disabled, that limits the amount of fun you can have with them,
but other things will still work. For instance, you could initiate a gzip bomb
that will fill their disk with zeros until they run out of disk space.
Use your imagination :D
On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH
wrote:
> Hi,
>
> for quite some time someone is fireing on one of my customers WebObjects
> applications,
> that very much looks like a bot net.
>
> The firing occurs always on the same instance and the same WO action for each
> request, its
> trying another session id. So this looks like someone is doing a brute force
> attack to guess a valid session id.
>
> So I am wondering: is there a known weakness in the randomness of generated
> session ids,
> that is making this (guessing a valid session id) possible at all?
>
> Regards, Markus
>
> PS: the attacker is using this user agent:
> "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
>they are obviously not respecting the robots.txt and the observed
> behaviour does not match
>the expected behaviour for a crawler/bot
>
> ___
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
>
> This email sent to rgur...@smarthealth.com
___
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
Re: Session-ID randomness
Hi Markus, I think the session ID is pretty strong so any attack will require a random session ID. I’d rate the chances of success as low. To be extra sure, capture the originating IP, user agent, etc from the request that starts a session. If those ever change, kill the session as a preventative measure. And as someone else suggested, you can use Apache to block this IP or user agent from getting near your app. Chuck On 2014-03-24, 3:08 AM, "Markus Stoll, junidas GmbH" wrote: Hi, for quite some time someone is fireing on one of my customers WebObjects applications, that very much looks like a bot net. The firing occurs always on the same instance and the same WO action for each request, its trying another session id. So this looks like someone is doing a brute force attack to guess a valid session id. So I am wondering: is there a known weakness in the randomness of generated session ids, that is making this (guessing a valid session id) possible at all? Regards, Markus PS: the attacker is using this user agent: "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“ they are obviously not respecting the robots.txt and the observed behaviour does not match the expected behaviour for a crawler/bot ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
Re: Session-ID randomness
that would not be easy to do, but mostly you can make sure your sessions have a timeout and max-life set so that there’s limits to anyone getting their hands on one. I’ve not heard of one being guessed before, but I’m sure there’s mathematics to suggest the theoretical limits based on characters in the hash there… if you can spot a reliable IP, you might black or brown list it? On Mar 24, 2014, at 6:08 AM, Markus Stoll, junidas GmbH wrote: > Hi, > > for quite some time someone is fireing on one of my customers WebObjects > applications, > that very much looks like a bot net. > > The firing occurs always on the same instance and the same WO action for each > request, its > trying another session id. So this looks like someone is doing a brute force > attack to guess a valid session id. > > So I am wondering: is there a known weakness in the randomness of generated > session ids, > that is making this (guessing a valid session id) possible at all? > > Regards, Markus > > PS: the attacker is using this user agent: > "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“ >they are obviously not respecting the robots.txt and the observed > behaviour does not match >the expected behaviour for a crawler/bot > > ___ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/jtayler%40oeinc.com > > This email sent to jtay...@oeinc.com ___ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (Webobjects-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
