Ramsey, that is evil. I like that in man!
On 2014-03-24, 11:28 AM, "Ramsey Gurley" wrote:
I’m not aware of any weakness. The method that generates the id is in
WOUniqueIDGenerator.longUniqueID(long) method.
If there is an issue, you could pretty easily fix it in your session
constructor:
public MySession() {
super(myRandomUUIDGenerator());
}
Then again, if you know it is happening, you could have some fun with it.
Create a session with the ID they submit. Then they always succeed! You could
drop ERXModernizr on them and see a) if javascript is enabled, and if so b)
what their potential client side capabilities/vulnerabilities are. If
javascript is disabled, that limits the amount of fun you can have with them,
but other things will still work. For instance, you could initiate a gzip bomb
that will fill their disk with zeros until they run out of disk space.
Use your imagination :D
On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH
<markus.st...@junidas.de<mailto:markus.st...@junidas.de>> wrote:
Hi,
for quite some time someone is fireing on one of my customers WebObjects
applications,
that very much looks like a bot net.
The firing occurs always on the same instance and the same WO action for each
request, its
trying another session id. So this looks like someone is doing a brute force
attack to guess a valid session id.
So I am wondering: is there a known weakness in the randomness of generated
session ids,
that is making this (guessing a valid session id) possible at all?
Regards, Markus
PS: the attacker is using this user agent:
"Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“
they are obviously not respecting the robots.txt and the observed behaviour
does not match
the expected behaviour for a crawler/bot
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list
(Webobjects-dev@lists.apple.com<mailto:Webobjects-dev@lists.apple.com>)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com
This email sent to rgur...@smarthealth.com<mailto:rgur...@smarthealth.com>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list
(Webobjects-dev@lists.apple.com<mailto:Webobjects-dev@lists.apple.com>)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net
This email sent to ch...@global-village.net<mailto:ch...@global-village.net>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (Webobjects-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
