lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 1 Feb 2007 00:18:35 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: webappsec@...urityfocus.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: stompy the session stomper - tool availability

On Sat, 27 Jan 2007, Michal Zalewski wrote:

> I'd like to announce the availability of 'stompy', a free tool to perform
> a fairly detailed black-box assessment of WWW session identifier
> generation algorithms.

I'm genuinely surprised by the amount of (mostly positive ;-) feedback I
got! Just an one-time, quick heads up: in response to numerous
suggestions, I added a couple of fairly significant features to the tool
that should make it capable of discovering far more - so if you downloaded
it several days ago, you might want to update your copy:

  - It now supports SSL connections, custom-crafted requests including
    POSTs, and input from external sources (for evaluation of non-WWW
    tokens of any type),

  - It now uses GNU MP library to losslessly handle alphabets that do not
    directly map to binary (this is big),

  - Can run spatial correlation checks as well as temporal analysis of
    bitstreams in acquired samples,

  - The output is much more readable, some minor bugs were fixed.

A much better documentation is available, as well. The tarball for version
0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz

Regards (and shutting up!),
/mz

Powered by blists - more mailing lists