There is a problem with these keys, however, if they are not truly random. This is detailed in a paper I stumbled upon entitled “Brute-Force Exploitation of Web Application Session IDs” by David Endler. It covers ways in which these keys can be “hacked” because they are not unique, but rather follow some sequence which can be guessed. He lists some major websites which he was able to get access to information that should have been private.

The paper got me thinking about how to generate random session keys, so I created some quick Python scripts using Twisted which demonstrates my solution. (This was my first time using Twisted, so it’s very possible that there is a better way to structure the code).

Solution

The character buffer in the server is used to generate new keys.

To fill the buffer:

0. Create a list of websites which themselves deliver random web pages (eg, wikipedia)
1. Select a website from random and ask for a random page
2. Grab the data within the HTML body tags and put that string in the character buffer
3. When the buffer needs more data, go back to 1.

To generate X number of keys:

0. Grab two random lengths of the character buffer. Use one to re-seed the random generator and the other as the basis for the new session key. Create the session key using MD5 and the key seed
1. Update() the current MD5 session key using a generated random character / string
2. Add that key to the buffer.
3. When the key buffer needs more keys, go back to Step 1. For every Y number of keys generated, go back to Step 0.

Notes

We don’t use a a new seed for each MD5 session key because the buffer will be emptied too quickly. Of course, the settings for the buffer size, etc could be tweaked.

Performance

Running the server code on my Mac Mini (2.16GHz Dual Core) and 5 clients on another machine, I was able to service ~8000 keys/sec (~750 million keys/day).

Conclusion

My experiment satisfied my curiosity and answered the questions from my own project.

There are, of course, many tweaks that can be made. Send me the code changes to your favorites and I’ll include them.

Click to download the client server files.

Resources

• Brute-Force Exploitation fo Web Application Session IDs (PDF)

It requires the Python module csv (included with Python 2.3 or later)

Run the script like so:

./outlook2macjournal.py [input_file] [output_file]

If no input or output files are listed, it will use the following defaults:

Outlook (input): exchange_export.csv
MacJournal (output): macjournal_import.txt

You can click here to download the Outlook to MacJournal Python script.

from glorp import blah
import foo

I was happy to have found an open-source project which emulates that functionality in JavaScript! I haven’t been able to do more than skim the web site, but it looks promising.

Resources

• http://ajile.sourceforge.net/