RE: XSS and URL Encoded Session IDs

How random is the entropy on the SessionIDs? If it can be easily (or at least semi easily) predicted you have your answer. Try harvesting as many IDs as you can and see if you can find any patterns. Once you have a pattern discovered write a script that keeps taking ID's.. once you see one of the IDs skipped you know that it was taken by someone else.

Not the end all be all of ways to do it but it is something to think about.

--The Crocodile

-----Original Message-----

From: B F [mailto:zaphod_b71@hotmail.com] Sent: Monday, December 16, 2002 3:19 PM
To: webappsec@securityfocus.com
Subject: XSS and URL Encoded Session IDs

Hi List,

recently I did my first "real" WebApp Audit, so I´m quite new to this topic. The application in case has lot´s of XSS Vulnerabilities, but they are only accessible if you already know the SessionID of a specific user. Example

https://somesite.com/bad.asp?SID=4243434234234234?ID=<xss string of choice>

As you may have noticed the site is only accessible via HTTPS. So how to craft an URL which will trigger the XSS ? Don´t I have to know the SessionID first?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The only thing I can think of is to exploit a client side vuln. to get the SID.

Any better ideas?

BF