Session ID Analysis

Session ID Analysis is useful to determine how easy it is for an attacker to brute force a victim's sessionid, and take it over.

The principle is that we collect a sample of session identifiers, most likely from a cookie that is set in the browser, but possibly also one that is set in a hidden form field in the HTML body. WebScarab tags all sessionid's with the date and time that it was collected, and then, after performing some calculations on the string value to convert it into a number, plots the value against time on a graph. The human eye is a lot more efficient at identifying patterns than a computer, so by plotting the values on a pair of axes, we make it easy for a human to visualise the sequence.

The default calculator identifies the possible character set for each position in the session id string. It then performs base-n conversion of the string to get it to a large number. This is quite an efficient way of converting arbitrary strings into a number, as it does not make any assumptions about the character set, and is reasonably effective at eliminating constant strings (they are reduced to a value of 0 since the character set does not change)

It is possible to use alternative calculators, e.g. a Base64 calculator that knows what the Base64 character set is, but there is no User Interface support for selecting different calculators. It currently requires code changes to use different calculators. This might be a good project for an interested person to implement.

Collecting sessionids

There are currently two ways to collect sessionids, from a cookie in the response headers, and by matching a regular expression against the response body.

To collect sessionids from cookies, make sure that the "From message body" checkbox is NOT selected. To collect sessionids from the message body, make sure that the "From message body" checkbox IS selected. Provide a name for the series of sessionids (the name is calculated automatically for cookies), and a regular expression that can be used to identify the identifier from the rest of the message.

The regular expression MUST match the ENTIRE message body, so it should probably start and end with ".*" constructs. The portion of the matched text that should be used for the session identifier should be surrounded by round brackets (i.e. a group). WebScarab will concatenate multiple groups into a single identifier if desired.

Example regular expressions:

  • .*id="(..........)".* will extract a 10-character sessionid surrounded by quotes, and prefixed by "id="

Once you have specified what you want to collect, you need to provide a request that will result in a response that contains a new sessionid. The easiest way of doing this is to look in the SummaryPanel to see conversations that have a value in the "Set-Cookie" column. Then, select that request from the drop-down menu, and use that exact request to collect new sessionids.

Alternatively, you can hand-craft your request, possibly changing a GET to HEAD to reduce the amount of data that needs to be requested.

Once the request has been entered, you can test the setup to make sure that it works. Press the "Test" button. If a sessionid is successfully found, a dialog box will be shown with the details. Once the sessionids are being successfully extracted via the "Test" button, you can specify a number of sessionids to collect in the "Samples" field, and click "Fetch" to start the process

If you specify a large number of sessionids, and want to stop the collection process before it finishes naturally, enter "0" into the "Samples" field, and press "Fetch".

Session ID Analysis

While the sessionids are being collected, you can change to the Analysis tab, and view the collected values. Using the "Session Identifier" drop-down box, choose the identifier that you are interested in. The table below will fill with the identifiers that have been collected, and will extend as new identifiers are seen. The first column specifies the date/time that the sessionid was collected, then the actual string value of the identifier is in the second column. The third column shows the calculated value, which may change over time, as the "per-position character-set" is updated. The final column shows the difference between subsequent calculated values.

If you want to copy the sessionids into a spreadsheet program for alternative analysis, you can simply select, Copy (Ctrl-C) and then paste it into your program.

Session ID Visualisation

The "Visualisation" tab contains a graph view of the selected session identifier. The graph widget is created the first time the tab is selected. If no session identifier is selected on the "Analysis" tab, no points will be shown on the graph. Using the graph, it should be easy to identify linear or repeating patterns in the session ids collected.