Web Application Brute Forcing 101 - "Enemy of the State (Mechanism)"

Presented at DEF CON 10 (2002), Aug. 3, 2002, 11 a.m. (50 minutes)

This presentation focuses on the ease with which many web application Session IDs can be brute-forced, allowing an attacker to hijack a legitimate web user's online session (e.g. Slashdot, Apache, Register.com, PHPNuke, etc.). While a somewhat narrow area of web application security, the simplicity of the attacks and the prevalence of these vulnerabilities on the Internet make this an important topic. Malicious users can easily try (usually automated) combinations of well-known usernames and passwords, or indeed attempt all possible combinations of the accepted Session ID character set. However, the scope of a brute force attack can be greatly reduced when Session IDs are predictable in nature. The presentation will include an overview of the issues involved in exploiting predictable or "reverse-engineerable" Session IDs in popular web applications, including a demonstration with several real-world exploitation examples. It will conclude with a description of techniques both users and web developers can use to protect against these types of attacks.


Presenters:

  • Michael Sutton - Sr. Security Engineer iDEFENSE Labs
    Michael Sutton is a Senior Security Engineer for iDEFENSE Labs. Prior to joining iDEFENSE, Sutton established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. The ISAAS practice is responsible for information systems auditing on both external financial audit engagements and internal audit outsourcing. Consulting engagements included SAS 70 audits, attack and penetration tests, architecture reviews, computer forensics and designing security policies. Sutton has also worked in the Ernst & Young ISAAS practice in New York. He is presently pursuing a Master of Science in Information Systems Technology degree at The George Washington University and has a Bachelor of Commerce degree from the University of Alberta.
  • David Endler - Director iDEFENSE Labs
    David Endler is the director of iDEFENSE's security research group, iDEFENSE Labs. iDEFENSE is a global security intelligence services company that provides advanced warning and analysis of cyberthreats - from technical vulnerabilities to hacker profiling to the global spread of malicious code. Prior to iDEFENSE, Endler served with Deloitte and Touche LLP in the e-business security and technology practice. In previous lives, Endler performed security research for Xerox Corporation, National Security Agency, and Massachusetts Institute of Technology. Mr. Endler holds a B.S. and M.S. in Computer Science, and is an active member of the Open Web Application Security Project (OWASP).

Links:

Similar Presentations: