Post by marionmccune on Jan 30, 2013 12:36:07 GMT -5
I'm testing a Web application based on SAP for a customer. One of the checks we normally do is to analyse the cookie holding the session token to make sure that it is sufficiently random and you can't predict the next valid token. We do this using Burp sequencer. On this occasion I noticed that the cookie appeared to have a large amount of static data at the beginning of it. I Base64 decoded it and found out that the first 130 characters (in text) contain the user name, customer code and date/time. I believe this is a known 'feature' of SAP. What I am struggling to be able to explain in my report is how the results of the decoder match up to the sequencer. For example - in clear text in the cookie the static data should start at position zero and finish at character 130 - but this does not correspond to the values seen in the character analysis in the sequencer - nor does the number of characters shown in total correspond to the actual character count in the cookie. I can see the static portion in the sequencer, and even the entropy spike where the time portion changes, I just can't correlate the character positions. In addition, when I look at the bit analysis in the sequencer, the values seem to be reversed, so that instead of seeing the static value at the start of the sequence - I can see it at the end.
I posted this on Security Stack Exchange today - but I haven't had an answer - so I am guessing this is either an obscure question or a stupid one. Any assistance from anyone would be great though.
Re the character positions, did you enable the option to Base64-decode the cookies before analyzing them? If not, that might be the reason why the character positions reported in the Sequencer results don't correlate to positions in the decoded cookie.
Re bit positions, if some parts of the cookie contain unchanging data, then in the conversion from characters to bits, Burp will derive zero bits of possible entropy from those positions - since there is only ever one character at that position, there is nothing to analyze, and so no bits are derived for it. This might be the reason why you can't map the bit position results directly to the cookie.
Reminds me a bit of assessments that have required significant decoding and manipulation of cookies/data to get meaningful results from the sequencer. Slicing out the "random" data and just running entropy checks on that, via the "Manual Load" tab is frequently more useful than just having burp aggregate the cookies and analyze from there.
Just another example of a time when a little human effort shaves loads of time off implementing automation.
Click [u][color=blue]here[/color][/u] to make a clicking sound.[br][br][url]https://viaforensics.com[/url][br][url]https://santoku-linux.com[/url]