| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Feb 2007 00:18:35 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ne.ids.pl>
To: webappsec@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: stompy the session stomper - tool availability
On Sat, 27 Jan 2007, Michal Zalewski wrote:
> I'd like to announce the availability of 'stompy', a free tool to perform
> a fairly detailed black-box assessment of WWW session identifier
> generation algorithms.
I'm genuinely surprised by the amount of (mostly positive ;-) feedback I
got! Just an one-time, quick heads up: in response to numerous
suggestions, I added a couple of fairly significant features to the tool
that should make it capable of discovering far more - so if you downloaded
it several days ago, you might want to update your copy:
- It now supports SSL connections, custom-crafted requests including
POSTs, and input from external sources (for evaluation of non-WWW
tokens of any type),
- It now uses GNU MP library to losslessly handle alphabets that do not
directly map to binary (this is big),
- Can run spatial correlation checks as well as temporal analysis of
bitstreams in acquired samples,
- The output is much more readable, some minor bugs were fixed.
A much better documentation is available, as well. The tarball for version
0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz
Regards (and shutting up!),
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists