foundstone cookiedigger whitepaper by burmesepentester


									Using Foundstone CookieDigger to Analyze Web Session

Foundstone Professional Services

May 2005
Web Session Management

Managing web sessions has become a critical component of secure coding techniques. Malicious intruders, e-
shoplifters, and hackers are increasingly targeting poorly designed applications which do not properly manage web

Web session management encompasses the techniques used by web applications to transparently authenticate users
over HTTP without having them repeatedly login. The HTTP protocol is inherently stateless in nature and so the
application needs some way of performing session management. Session management entails the server sending a
token of identity to the client (e.g. web browsers) after successful authentication.

The most common way of performing session management is via the Set-Cookie directive of HTTP which stores a
token on the client. Every subsequent request made by the client includes that token as a means to prove its identity.
The application server has a database of user information corresponding to every token issued. Upon receiving a
request that includes a token the application server correlates the user state with the token received. If the token is
recognized, the request is processed, if it is not recognized, the request is rejected. Therefore, the token set on the client
is the most critical information which provides a user access to his / her resources. This token is popularly called a

Foundstone CookieDigger™

CookieDigger, designed by Foundstone, is a free tool to help identify weak cookie generation and insecure
implementations of session management by web applications. The tool works by collecting and analyzing cookies
issued by a web application for multiple users.

The tools functionality can be divided into 3 broad categories;

            1.   Cookie Collection
            2.   Cookie Analyses
            3.   Results                                                                      © 2005 Foundstone, Inc. All Rights Reserved - 1
To use CookieDigger, the user needs to point the tool to the web application that is being analyzed. When the tool is
launched a scaled down version of a web browser is presented.

           1.   The user needs to browse to the website using this browser.                                                                © 2005 Foundstone, Inc. All Rights Reserved - 2
           2.   Login in as a regular user on the web site with valid credentials.                                                                   © 2005 Foundstone, Inc. All Rights Reserved - 3
           3.   Logout of the web site. This is required because some websites do not allow multiple logins
                simultaneously.                                                         © 2005 Foundstone, Inc. All Rights Reserved - 4
           4.   Click on “Replay URLs”. This shows all the URLs that have been visited.                                                                © 2005 Foundstone, Inc. All Rights Reserved - 5
           5.   The Visited URLs panel displays a tree view of all the URLs visited along with the associated parameter
                names and values.

           6.   Identify the request that has the credentials that were used to log on to the website. The application tries
                to make the best guess of the User ID and Password parameter but that may not be accurate in all cases.
                Select the right User ID and Password parameter using the drop down box.                                                                     © 2005 Foundstone, Inc. All Rights Reserved - 6   © 2005 Foundstone, Inc. All Rights Reserved - 7
           7.   Enter a set of credentials which can be used by the tool to log on the web application to collect the
                cookies. The tool does not use the initially entered credentials if not they are not reentered during this
                phase. The user needs to enter a minimum of one set of credentials and a maximum of 20 sets of
                credentials can be entered.

           8.   Select the number of times you want to repeat the login process for each set of credentials. The tool
                collects cookies set for each login attempt. The minimum is 2 and the maximum is 100. Press “Done”
                after having selected the number of attempts.                                                                   © 2005 Foundstone, Inc. All Rights Reserved - 8
           9.   Depending on the number of credentials and number of login attempts the tool can take from a few
                seconds to a few minutes to collect the cookies.

           10. After the cookie collection is complete, you can choose to save the cookies in XML files for more
                extensive testing, manually analyze the results with the options provided, display the report with the
                default analyses performed on the collected cookies, or just ignore the collected cookies and the
                analyses.                                                                 © 2005 Foundstone, Inc. All Rights Reserved - 9
           11. Save the cookies as an XML file.

           12. The user can choose to manually test the cookies collected for commonly known mistakes.
           13. The users can choose the instance of cookie that they wants to analyze. The tool provides the ability to
                choose the user and the instance number of the cookie that the user wants to see.                                                                  © 2005 Foundstone, Inc. All Rights Reserved - 10
           14. The user can hash strings using MD5 and SHA1 algorithms and compare them with the cookies
                collected to check if the web application is using hashes of predictable string, or timestamps as cookies.
                The string value entered is hashed and compared to all the cookie values collected. The results are
                included in the report generated at the end of manual testing.                                                                  © 2005 Foundstone, Inc. All Rights Reserved - 11
           15. The user can decode the cookie values to check for useful information passed in the cookies. The user
                currently has the option to perform Base64 and URL decoding on the collected cookies.                                                                © 2005 Foundstone, Inc. All Rights Reserved - 12
           Choose the cookie name value pair that you want to decode. Select the type of decoding and click “ok”.

           The decoded value will appear under “Covert Value”.                                                                 © 2005 Foundstone, Inc. All Rights Reserved - 13
           16. The tool provides the user with the ability to search for particular strings and/or substrings across all the
                cookie values collected. This is particularly useful if the user is aware of the encryption algorithm and
                key used but is not sure of the plain text that is being encrypted.

           17. The user has the option to directly go to the “Manual Testing” panel from the main window to continue
                performing the manual analyses on the cookies. The user needs to “Load Cookies” to access the stored
                XML files.                                                                    © 2005 Foundstone, Inc. All Rights Reserved - 14
           18. The results of the analyses performed on the collected cookies and the analyses results can be seen
                through the “Show Report” tab.                                                             © 2005 Foundstone, Inc. All Rights Reserved - 15

CookieDigger performs the following analysis on the cookies collected:

Average Length of the Cookie: If the average length of the cookie that is used as an authenticator is small then it
would take fewer brute force attempts to hijack another users session. On a popular site we can assume many users to
be logged in at the same time, therefore the chances of a successful brute force attempt might be high.

Character Set of the Cookie: The character set employed in the generation of cookie value plays an important role in
the entropy of the cookie. For any given cookie length, a large character set increases the strength of the authenticator.
If the attacker can determine the character set employed by the application, the brute force attempts can be crafted more
efficiently. The combination of the length of the cookie and the character set used determines the strength of the

Critical Information: The tool checks the cookie values set by the application to see if any of the cookies contains the
usernames or password values in it. The check is performed on both the plain text value of the cookie and on the
base64 decoded value of the cookie. Other common useful information passed in the cookie values are account
numbers, names, privilege levels, etc.

Entropy of the Cookies: The tool compares the different values of the cookie values to check how many characters are
changing for every subsequent login. If the cookie value remains the same on subsequent logins, it shows that the
algorithm used for generating the cookies is vulnerable to chosen plain text attacks. Furthermore, if the cookie values
remain the same on subsequent logins it gives the attacker longer periods of time to perform the brute forces attempts.                                                                  © 2005 Foundstone, Inc. All Rights Reserved - 16
The screen shots below shows a sample report output collected from

The report provides a summary of the findings. It generates a predictability index based upon the cookie values

The analyses results are displayed in the report. The base line analyses performed on the cookies provides a user with a
good indication on how strong the session identifiers are.                                                                 © 2005 Foundstone, Inc. All Rights Reserved - 17
The report shows all the collected cookie values in the report for the user to view and analyze the results.

The report displays the findings of the manual analyses at the end of the report. If there was any positive finding during
the manual testing the report displays the cookie values for user’s reference.                                                                   © 2005 Foundstone, Inc. All Rights Reserved - 18
Known Issues

           1.   The tool does not work on the websites that requires scripting on parameter values before being sent
                back to the application.
           2.   The tool fails in cases where it the websites sends and expects a nonce for every new login.

About Foundstone Professional Services

Foundstone Professional Services, a division of McAfee, offers a unique combination of services and education to help
organizations continuously and measurably protect the most important assets from the most critical threats. Through a
strategic approach to security, Foundstone identifies, recommends, and implements the right balance of technology,
people, and process to manage digital risk and leverage security investments more effectively.

Foundstone’s Secure Software Security Initiative (S3i™) services help organizations design and engineer secure
software. By building in security throughout the Software Development Lifecycle, organizations can significantly
reduce their risk of malicious attacks and minimize costly remediation efforts. Services include:

•    Source Code Audits
•    Software Design and Architecture Reviews
•    Threat Modeling
•    Web Application Penetration Testing
•    Software Security Metrics and Measurement

For more information about Foundstone S3i services, go to

Foundstone S3i training is designed to teach programmers and application developers how to build secure software and
to write secure code. Classes include:

•    Building Secure Software
•    Writing Secure Code – Java (J2EE)
•    Writing Secure Code – ASP.NET (C#)
•    Ultimate Web Hacking

For the latest course schedule, go to                                                                  © 2005 Foundstone, Inc. All Rights Reserved - 19

To top