[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] stompy 0.04

From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Subject: [WEB SECURITY] stompy 0.04
Date: Thu, 1 Feb 2007 00:34:50 +0100 (CET)

[ Some fine folks asked me to spam this list as well for good measure when
  I first announced version 0.01 of this tool on BUGTRAQ... oh, well! ]

I'd like to announce the availability of a free tool affectionately called
'stompy', a much improved version 0.04. Stompy is an utility to perform
black-box assessment of algorithms used to generate WWW session
identifiers or other tokens that are meant to withstand statistical
analysis and brute-force attacks.

As you all know, session IDs and similar secret values shared between
client and server are commonly used to track authenticated users or
validate certain actions in stateless environments (not limited to the
Internet: prepaid mobile recharge vouchers are a good example), and as
such, whenever they're predictable or simply have a non-negligible chance
of being guessed by trial and error, we do have a problem.

Some of such mechanisms, particularly in relation to the Web, are
well-studied and well-documented, and believed to be cryptographically
secure (for example: Apache Tomcat, PHP, ASP.NET built-in session
identifiers). This is not necessarily so for various less-researcher
enterprise platforms, and almost never so for custom solutions implemented
in-house for a particular application.

Yet, while there are several nice GUI-based tools designed to, for
example, analyze HTTP cookies for common problems (Dawes' WebScarab, SPI
Cookie Cruncher, Foundstone CookieDigger, etc), they all seem to rely on
very trivial, if any, tests when it comes to unpredictability ("alphabet
distribution" or "average bits changed" are top shelf); this functionality
is often not better than a quick pen-and-paper analysis, and can't be
routinely used to tell a highly vulnerable linear congruent PRNG (rand())
from a well-implemented MD5 hash system (/dev/urandom). This is no better
for other types of closed-source token generation systems that need to be
quickly assessed for most obvious vulnerabilities before deployment.

Today's super-bored pen-testers can perhaps collect data by hand,
determine its encoding, write conversion scripts, and then run it through
NIST Statistical Test Suite or a similar tool - but few will, and few can
afford to.

Stompy aims to be a quick and mostly automated tool to provide a first
line of assessment and reliably detect common anomalies that are not
readily apparent at a cursory glance.

To achieve this, it:

  - Automatically detects session IDs encoded as URLs, cookies, as well as
    as form inputs, then collects a statistially significant sample of
    data without any user interaction (but can also accept preformated
    data from external sources),

  - Automatically determines alphabet structure to transparently handle
    base64, uuencode, base32, decimal, hex, or any other sane encoding
    scheme, including mixed encodings. What's big is that it can handle
    fractional-bit alphabets (ones that do not consist of power-of-2
    elements), which normally cannot be directly mapped to binary,

  - After carrying out a couple of trivial alphabet-based tests, stompy
    then splits the samples into temporally separated bitstreams (stream
    1: bit 0 of sample 1, bit 0 of sample 2, bit 0 of sample 3...; stream
    2: bit 1 of sample 1, bit 1 of sample 2, bit...) to individually
    evaluate how bits change in time, and how much entropy they contribute
    to the identifier.

  - To detect weaknesses in each of the bitstreams, the tool launches NIST
    FIPS-140-2 PRNG evaluation tests on the collected data, as well as a
    bunch of n-dimensional phase analysis attempts aimed to find PRNG
    hyperplanes and other types of non-trivial data correlation.

  - Lastly, the tool performs series of spatial correlation checks to
    identify dependencies between neighboring bits in each of the tokens,

  - A final report on the number of correct and anomalous bits is then
    prepared, and an estimate on the number of "untainted" entropy is
    assigned a human-readable rating.

Stompy supports SSL, custom-crafted POST requests, as well as raw input
from non-WWW sources.

The tool along with a fairly decent documentation is available here:

  http://lcamtuf.coredump.cx/stompy.tgz

Cheers,
/mz

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Prev by Date: [WEB SECURITY] How Prevalent Are XSS Vulnerabilities?
Next by Date: [WEB SECURITY] Vista Bug: IE7 sploit...
Previous by thread: [WEB SECURITY] How Prevalent Are XSS Vulnerabilities?
Next by thread: [WEB SECURITY] Vista Bug: IE7 sploit...
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site