This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Cookies Database"

From OWASP
Jump to: navigation, search
(More info on ltpatoken)
Line 610: Line 610:
  
  
[[Category:OWASP Testing Project]]
+
{{Category:OWASP Testing Project}}

Revision as of 15:00, 3 January 2007

Welcome to OWASP Cookies Database Project

OWASP Cookies Database project is aimed to collect and maintain all possible web servers/applications cookie details like cookie name, cookie value and the product name/version which generated the cookies. This database can be used to fingerprint the product name/version by comparing the cookie names and values against the database. This will enhance the accuracy of the application fingerprinting.

The database is ordered as a "reverse-lookup" to facilitate finding technologies in a testing situation. If you need to use the data in another order, we recommend copying the table into a spreadsheet and sorting it according to your needs.

Please help us grow the database by adding the cookies from your technology. To gather the appropriate data, simply go to the webpage in question and type in the following in the URL bar of your browser...

javascript:alert(document.cookie)

Then create an entry in the table below using the following format. If you don't know what product or version are involved, please leave them blank, and perhaps others will be able to help you. Note, you may want to change a few bytes in the example cookie value so that you aren't disclosing a secret cookie value.

|-
|wiki18_session
|qfn5s9|14upcs5b29prn7al090
|unknown
|MediaWiki
|MediaWiki
|1.8
|Used at http://www.wikipedia.com
|None

Cookie Database

Cookie Name Example Value Cookie Format Company Name Product Name Product Version Product Type Example Site Notes
JSESSIONID unknown Many Many Any J2EE Application server Many Many appservers use this cookie including Claudio Resin, Jakarta Tomcat/JSERV, Macromedia Jrun
ASPSESSIONIDXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX unknown Microsoft Microsoft Internet Information Services 5.0 Application server Many Cookie name varies by site
ASP.NET_SessionId 0hqed4qelkxvjj153tplacm0 unknown Microsoft Microsoft Internet Information Services 6.0 Application server Many None
PHPSESSION unknown The PHP Group PHP Any Web server Many None


wiki18_session 14upcs5b29prn7al090 unknown MediaWiki MediaWiki 1.8 Content Management Server http://www.wikipedia.com/ None


WebLogicSession (too large too fit here) unknown BEA BEA WebLogic Any J2EE Application server TBD None
BIGipServerxxx_xxx_xxx_PROTO 2893454590.19741.0000 unknown F5 F5 BIG-IP Any Load balancer TBD Used to mantain persistence based on original client when balancing to a farm. The cookie name contains the name of the web site being accessed as weel as the protocol used.
SERVERID unknown HAproxy HAproxy Any Load balancer TBD More information in the [ http://haproxy.1wt.eu/download/1.2/doc/architecture.txt Architecture documentation]
SaneID A.B.C.D-1018349510644 unknown UNICA corporation Unica NetTracker (formerly SANE NetTracker) Any Tracking visitors http://www.sane.com/ A.B.C.D is the IP address of the client accessing the site
ssuid Maxliw00vvM00001fbb6Oxn0wb unknown Vignette Vignette Any Content Manager TBD None
vgnvisitor Mawd0M00heY0000~fBiFkE0035 unknown Vignette Vignette Any Content Manager TBD None


SESSION_ID (too large too fit here) unknown IBM IBM Net.Commerce Any Application TBD None


NSES40Session 2%253A3e57d375%253Adc59172283a7e72c unknown RedHat Netscape Enterprise Server 4.0 Application Server TBD None


iPlanetUserId A.B.C.D:29511018555049 unknown Sun iPlanet web server (discontinued, replaced by SunONE web server and later by Java System Application Server) 6.x Application Server TBD A.B.C.D is the client's IP address
gx_session_id_ f42d0282513ff402 unknown Sun Java System ApplicationServer) TBD Application Server TBD None.
JROUTE VAyc Four characters. Sun Java System ApplicationServer) http://www.sun.com/ Application Server TBD Used by the load balancing module to determine the server backend.
RMID d442af2b3d1ccf30 unknown Real RealMedia OpenAdStream 6.x Media Server TBD None
JSESSIONID afbx7QRlFZje unknown TBD Claudio Resin TBD J2EE Application server Many None
Apache A.B.C.D.265301162333949602 unknown Apache Foundation Apache web server http://www.paypal.com Web server Many A.B.C.D is the client's IP address


JSESSIONID 4ah34a8xo1 unknown Apache Foundation Jakarta Tomcat/JSERV TBD J2EE Application server Many None
JSESSIONID TBD IBM IBM WebSphere Application Server TBD J2EE Application server Many None.
JSESSIONID TBD IBM IBM HTTP Server TBD Web server Many When IHS is used as a plugin to WAS it will modify the JSESSIONID and add one value to identify the web server being balanced postfixing its name (as defined in the plugin configuration)
JSESSIONID 80302068121025709932681 unknown Macromedia Macromedia Jrun TBD J2EE Application server Many None
CFID unknown Macromedia Coldfusion TBD Application server Many See KB#17919 and KB#17915


CFTOKEN unknown Macromedia Coldfusion TBD Application server Many None


CFGLOBALS unknown Macromedia Coldfusion TBD Application server Many None
RoxenUserID 07761bc31df67ae8c4441a89bc7ceed5 unknown Roxen Roxen Web Server TBD Web server Many None


JServSessionIdroot vvni7vxu8n unknown Apache Foundation ApacheJServ TBD Web server Many None


sesessionid ZJ0DMWIAAA51VQFI50BD0VA unknown IBM IBM WebSphere Application Server TBD Application server Many None
PD-S-SESSION-ID 2_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx unknown IBM IBM Tivoli Access Manager WebSeal (part of the IBM TAM for e-business) 5.x, 6.x Reverse authentication proxy Many Where 'x' is {[A-Z],[a-z],[0-9],+,-}. The cookie is set as 'Secure'
PD_STATEFUL_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /LOCATION unknown IBM IBM Tivoli Access Manager WebSeal (part of the IBM TAM for e-business) 5.x, 6.x Reverse authentication proxy Many This cookie is used when accessing an authenticated area.


WEBTRENDS_ID A.B.C.D-1091519275.658578 unknown WebTrends WebTrends TBD Tracking visitors Many None.
__utmX unknown Google Urchin Tracking Module TBD Tracking visitors Many X can be 'a', 'b', 'c', 'v', 'z' ...


sc_id Number? Omniture Omniture http://2o7.net Tracking visitors Many None.
s_sq Number? Omniture Omniture http://2o7.net Tracking visitors Many None.
s_sess Number? Omniture Omniture http://2o7.net Tracking visitors Many None.
s_vi_XXXXXX XXXX[CE] Number? Omniture Omniture http://2o7.net Tracking visitors Many The XXX part of the cookie name and content are of variable length.
MintUnique 1 Number? Shaun Inman Mint TBD Tracking visitors Many None.
MintXXXX 1 Number? Shaun Inman Mint TBD Tracking visitors Many None.
SS_X_CSINTERSESSIONID 0001P73k2FUEYEU4Ks5TtKxcs2K:vv0b9pej unknown FatWire OpenMarket/FatWire Content Server TBD Content server Many None.


CSINTERSESSIONID 0001xquPwAx2NFUFvi7yw-43f35:vv7sdeqs unknown FatWire OpenMarket/FatWire Content Server TBD Content server Many None.


_sn u3YBSdYfaf0oa5H1hz7Tc0ccApc0T1Iz60QWgeSiMEA_ unknown Siebel Siebel CRM TBD Application Many None.


BCSI-CSCXXXXXXX 1 Number Bluecoat BlueCoat Proxy TBD Proxy Many None.
Ltpatoken TBD Base64 encoding +3DES encryption (ECB mode) using the server's DES password. Contains: TokenHeader[4 BYTES] + HexEncoded((DWORD)TokenCreationDate)[8 BYTES] + hexEncoded((DWORD)TokenExpirationDate)[8 BYTES] + Canonicalized username [variable] + SHA1(TokenHeader + TokenCreation + TokenExpiration + Username+Secret)[20 BYTES]. TokenHeader = First byte reserved, three bytes for secret sequence usage. TokenCreationDate = A number representing the time and date of the token creation. (TokenCreationDate is the number of seconds to elapse since midnight (00:00:00), January 1, 1970) in GMT. TokenExpirationDate = A number representing the time and date of the token expiration. (TokenExpirationDate is the number of seconds to elapse since midnight (00:00:00), January 1, 1970) in GMT IBM IBM WebSphere Application Server 5.1 and earlier Application server TBD LTPA (Lightweight Third Party Authentication) is used for Single Sign On. For more information see http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_msso.html for more information on decoding see http://www.penumbra.org/LWCM/forum.nsf/85255e6f0052055e85255d7f005ed8bc/FF6A0D36B80FBA6E85256CC60077C094?OpenDocument
Ltpatoken2 TBD TBD IBM IBM WebSphere Application Server 5.1.1 and later Application server TBD LTPA (Lightweight Third Party Authentication) is used for Single Sign On. For more information see http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_msso.html
Ltpatoken TBD Base64 encoded, 3-des encrypted: header:server/userDn % timestamps % rsa-signature. Timestamp is the expiration date (in long). IBM Lotus Domino 5.0x and later Application TBD LTPA (Lightweight Third Party Authentication) is used for Single Sign On. For more information see http://www.lotus.com/ldd/labscontent.nsf/lookup/session_auth, http://www.ibm.com/developerworks/ibm/library/it-0101art2/ and http://www.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/Main?OpenFrameSet. The cookie name can be changed (except for 5.0x servers) based on the iNotes_WA_AuthTokenName configuration variable. For more information on decoding see http://www.penumbra.org/LWCM/forum.nsf/85255e6f0052055e85255d7f005ed8bc/FF6A0D36B80FBA6E85256CC60077C094?OpenDocument


LtpatokenExpiry 12:00:00+GMT+Today String IBM Lotus Domino 5.0x and later Application TBD None
LtpatokenUsername CN=John+Doe/O=Org String IBM Lotus Domino 5.0x and later Application TBD None
DomAuthSessID TBD TBD IBM Lotus Domino TBD Application TBD Session-based authentication in a single server, by default, the cookie expires after 30 minutes of inactivity. See http://www.ibm.com/support/docview.wss?uid=swg27003558


Cookie Name Example Value Cookie Format Company Name Product Name Product Version Product Type Example Site Notes

Volunteers Needed

If you are interested in participating this project, drop a mail to syedma 'at' microland.net. The sucess of this project depends on more and more number of participants and cookie signatures


This project is part of the OWASP Breakers community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.
OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.


Flagship big.jpg

OWASP Testing Guide v4

ANNOUNCING THE NEW "OWASP TESTING GUIDE v4

17th September, 2014: OWASP is announcing the new OWASP Testing Guide v4.

A big thank you to all the contributors and reviewers!

3rd August 2015, the OWASP Testing Guide v4 book now available!
You can buy the Guide here


Or you can download the Guide here

OWTGv4 Cover.png

Or browse the guide on the wiki here

Classifications

Owasp-flagship-trans-85.png Owasp-breakers-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

OWASP Testing Guide v3

16th December 2008: OWASP Testing Guide v3 is finished!

  • You can download the Guide in PDF here
  • Download the presentation here
  • Browse the Testing Guide v3 on the wiki here

'NEW: OWASP projects and resources you can use TODAY'
16th April 2010 in London, OWASP leaders deliver a course focused on the main OWASP Projects.
Matteo Meucci will deliver a training course on the OWASP Testing Guide v3.
More information here

Video @ FOSDEM 09: here

Citations:

http://www.owasp.org/index.php/Testing_Guide_Quotes

Overview

This project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues.

Version 3 of the Testing Guide was released in December 2008 after going through a major upgrade through the OWASP Summer of Code 2008.

History Behind Project The OWASP Testing guide originated in 2003 with Dan Cuthbert as one of the original editors. It was handed over to Eoin Keary in 2005 and moved onto the new OWASP wiki when it came online. Being in a wiki is easier for people to contribute and has made updating much easier. Matteo Meucci took on the Testing guide after Eoin and shepherded it through the version 2 and version 3 updates, which have been significant improvements.

OWASP Testing Guide v3

Testing Guide v3: plan (archive)

26th April 2008: Version 3 of the Testing Guide started under OWASP Summer of Code 2008.

6th November 2008: Completed draft created and previewed at OWASP EU Summit 2008 in Portugal.

Final stable release in December 2008

OWASP Testing Guide v2

10th February 2007: The OWASP Testing Guide v2 is now published Matteo Meucci (as part of his AoC project) has just published the latest version of Testing guide which:

OWASP Testing Guide v2 in Spanish: Now you can get a complete translation in Ms Doc format

For comments or questions, please join the OWASP Testing mailing list, read our archive and share your ideas. Alternatively you can contact Eoin Keary or Matteo Meucci directly.

Here you can find:

We hope you find the information in the OWASP Testing project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the OWASP Testing mailing list. Thanks!

To join the OWASP Testing mailing list or view the archives, please visit the subscription page.

Thanks to the translators all around the world you can download the guide in the following languages:

  • Japanese in PDF format here (this is a 1st draft of v3.0, final release coming soon).
  • Hebrew in PDF format (Risk Rating Methodology only for now). Thanks to Tal Argoni from TriadSec.

We invite you to explore and help us translate OWASP Testing Guide 4.0 at Crowdin. Please visit URL below to start translating this project:

https://crowdin.com/project/owasp-testing-guide-40/invite

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Testing Project (home page)
Purpose:
  • The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
License: Creative Commons Attribution Share Alike 3.0
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
current release
Testing Guide V 4.0 - 15th February 2013

The new project is available here - (no download available)

Release description:
  • Review all the control numbers to adhere to the OWASP Common numbering,
  • Review all the sections in v3,
  • Create a more readable guide, eliminating some sections that are not really useful,
  • Insert new testing techniques: HTTP Verb tampering, HTTP Parameter Pollutions, etc.,
  • Rationalize some sections as Session Management Testing,
  • Create a new section: Client side security and Firefox extensions testing.
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Testing Guide V 3.0 - December 2008 - (download)
Release description: The OWASP Testing Guide v3 is a 349 page book; we have split the set of active tests in 9 sub-categories for a total of 66 controls to test during the Web Application Testing activity.
Rating: Greenlight.pngGreenlight.pngGreenlight.png Stable Release - Assessment Details


other releases


This category currently contains no pages or media.

Retrieved from "https://wiki.owasp.org/index.php?title=Category:OWASP_Cookies_Database&oldid=14866"