Remind me to never click on a link for any of Ramsey’s applications that includes the session ID…
:-) Dave On Mar 24, 2014, at 2:34 PM, Chuck Hill <[email protected]> wrote: > Ramsey, that is evil. I like that in man! > > On 2014-03-24, 11:28 AM, "Ramsey Gurley" wrote: > > I’m not aware of any weakness. The method that generates the id is in > WOUniqueIDGenerator.longUniqueID(long) method. > > If there is an issue, you could pretty easily fix it in your session > constructor: > > public MySession() { > super(myRandomUUIDGenerator()); > } > > Then again, if you know it is happening, you could have some fun with it. > > Create a session with the ID they submit. Then they always succeed! You could > drop ERXModernizr on them and see a) if javascript is enabled, and if so b) > what their potential client side capabilities/vulnerabilities are. If > javascript is disabled, that limits the amount of fun you can have with them, > but other things will still work. For instance, you could initiate a gzip > bomb that will fill their disk with zeros until they run out of disk space. > > Use your imagination :D > > > On Mar 24, 2014, at 3:08 AM, Markus Stoll, junidas GmbH > <[email protected]> wrote: > > Hi, > for quite some time someone is fireing on one of my customers WebObjects > applications, > that very much looks like a bot net. > The firing occurs always on the same instance and the same WO action for each > request, its > trying another session id. So this looks like someone is doing a brute force > attack to guess a valid session id. > So I am wondering: is there a known weakness in the randomness of generated > session ids, > that is making this (guessing a valid session id) possible at all? > Regards, Markus > PS: the attacker is using this user agent: > "Mozilla/5.0+(compatible;+AhrefsBot/5.0;++http://ahrefs.com/robot/)“ > they are obviously not respecting the robots.txt and the observed > behaviour does not match > the expected behaviour for a crawler/bot > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/rgurley%40smarthealth.com > This email sent to [email protected] > > > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/chill%40global-village.net > > This email sent to [email protected] > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Webobjects-dev mailing list ([email protected]) > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/webobjects-dev/webobjects%40avendasora.com > > This email sent to [email protected] ————————————————————————————— WebObjects - so easy that even Dave Avendasora can do it!™ ————————————————————————————— David Avendasora Senior Software Abuser Nekesto, Inc.
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
