This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Testing for Bypassing Authentication Schema (OTG-AUTHN-004)"

From OWASP
Jump to: navigation, search
(Why is it possible to restrict brute force when cookie id goes simetrically?: new section)
(Why is it possible to restrict brute force when cookie id goes symmetrically?)
 
Line 5: Line 5:
 
Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was.
 
Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was.
  
== Why is it possible to restrict brute force when cookie id goes simetrically? ==
+
== Why is it possible to restrict brute force when cookie id goes symmetrically? ==
  
In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very simetrically in some part, so it is possible to guess what a sequenced valid cookie is.
+
In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very symmetrically in some part, so it is possible to guess what a sequenced valid cookie is.
 
First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10.
 
First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10.
 
Am I right?
 
Am I right?

Latest revision as of 07:44, 3 March 2016

Can't seem to delete sections 4. It is redundant. Also, there is a mispelling of the word Authentication in the image.

Direct page request image

Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was.

Why is it possible to restrict brute force when cookie id goes symmetrically?

In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very symmetrically in some part, so it is possible to guess what a sequenced valid cookie is. First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10. Am I right?