How is QID 86310 - Web Server Predictable Session ID Vulnerability detected?

Document created by kb-author-1 Employee on May 19, 2010Last modified by eschamp on Sep 2, 2010
Version 2Show Document
  • View in full screen mode

Issue:

How is QID 86310 - Web Server Predictable Session ID Vulnerability detected?

 

Solution:

This vulnerability is tested as follows:

 

1. QualysGuard sends several consecutive HTTP requests to the web server.

 

2. For each reply sent by the web server, QualysGuard collects the cookie included in the reply like this:

 

"Set-Cookie: ASPSESSIONIDCBABCTAT=KPPGDIMDDMANNJHAHCBKCOJO; path=/".

 

3. After receiving all replies and therefore collecting all different cookies, QualysGuard examines how many characters out of the total number of cookie characters do vary from one reply to the next one.

 

QID 86310 is reported if too many characters of the cookie have fixed values or do not vary enough.

 

False positives may occur when the examined cookies are not actually session IDs. The QualysGuard test is unable to tell which cookies are session IDs and which are not. It examines all cookies it finds.

 

If a false positive is suspected, please contact our support team - see http://www.qualys.com/support/ for details - to open a case so our vulnerability team can investigate and make the necessary corrections.

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

Outcomes