This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Testing for Bypassing Authentication Schema (OTG-AUTHN-004)"
(Direct page request image) |
(→Why is it possible to restrict brute force when cookie id goes symmetrically?) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 4: | Line 4: | ||
Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was. | Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was. | ||
+ | |||
+ | == Why is it possible to restrict brute force when cookie id goes symmetrically? == | ||
+ | |||
+ | In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very symmetrically in some part, so it is possible to guess what a sequenced valid cookie is. | ||
+ | First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10. | ||
+ | Am I right? |
Latest revision as of 07:44, 3 March 2016
Can't seem to delete sections 4. It is redundant. Also, there is a mispelling of the word Authentication in the image.
Direct page request image
Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was.
Why is it possible to restrict brute force when cookie id goes symmetrically?
In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very symmetrically in some part, so it is possible to guess what a sequenced valid cookie is. First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10. Am I right?