Saturday, May 14, 2005

Foundstone CookieDigger

Download Binaries -

Download User Guide -

For the Less Impatient

CookieDigger, designed by Foundstone, is a free tool to help identify
weak cookie generation and usage by web applications. The tool works by
collecting and analyzing cookies issued by a web application for
multiple users.

The tools functionality can be divided into 3 broad categories.
1. Cookie Collection
2. Cookie Analyses
3. Results

Average Length of the Cookie: If the average cookie length of the cookie
that is used as an authenticator is small then it would take fewer brute
force attempts to hijack another users session. On a popular site we
can assume many users to be logged in at the same time, therefore the
chances of a successful brute force attempt is high.

Character Set of the Cookie: The character set employed in the
generation of cookie value plays an important role in the determining
the strength of the authenticator. For any given cookie length, a large
character set increases the strength of the authenticator exponentially.
If the attacker can determine the character set employed by the
application, the brute force attempts can be crafted more efficiently.
The combination of the length of the cookie and the character set used
determines the strength of the authenticator.

Critical Information: The tool checks the cookie values set by the
application to see if any of the cookies contains the usernames or
password values in it. The check is performed on both the plain text
value of the cookie and on the base64 decoded value of the cookie. Other
common useful information passed in the cookie values are account
numbers, names, privilege levels, etc.

Entropy of the Cookies: The tool compares the different values of the
cookie values to check how many characters are changing for every
subsequent login. If the cookie value remains the same on subsequent
logins, it shows that the algorithm used for generating the cookies is
vulnerable to chosen plain text attacks. Furthermore, if the cookie
values remain the same on subsequent logins it gives the attacker longer
periods of time to perform the brute forces attempts.
Post a Comment