lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <78FA4E96C9E69341989E9416E06225DBC28860@tgbex.otl.portcullis-security.com>
Date: Thu, 1 Feb 2007 09:52:18 -0000
From: "Thomas L. Romanis" <TLR@...tcullis-security.com>
To: "Michal Zalewski" <lcamtuf@...ne.ids.pl>, <webappsec@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: stompy the session stomper - tool availability

IT would help if DansGuardian did stop you downloading the updated
version! ; )

 

-----Original Message-----
From: listbounce@...urityfocus.com [mailto:listbounce@...urityfocus.com]
On Behalf Of Michal Zalewski
Sent: 31 January 2007 23:19
To: webappsec@...urityfocus.com
Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: Re: stompy the session stomper - tool availability

On Sat, 27 Jan 2007, Michal Zalewski wrote:

> I'd like to announce the availability of 'stompy', a free tool to 
> perform a fairly detailed black-box assessment of WWW session 
> identifier generation algorithms.

I'm genuinely surprised by the amount of (mostly positive ;-) feedback I
got! Just an one-time, quick heads up: in response to numerous
suggestions, I added a couple of fairly significant features to the tool
that should make it capable of discovering far more - so if you
downloaded it several days ago, you might want to update your copy:

  - It now supports SSL connections, custom-crafted requests including
    POSTs, and input from external sources (for evaluation of non-WWW
    tokens of any type),

  - It now uses GNU MP library to losslessly handle alphabets that do
not
    directly map to binary (this is big),

  - Can run spatial correlation checks as well as temporal analysis of
    bitstreams in acquired samples,

  - The output is much more readable, some minor bugs were fixed.

A much better documentation is available, as well. The tarball for
version
0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz

Regards (and shutting up!),
/mz

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Today's hackers exploit web applications to expose, embarrass and even
steal. Firewalls and SSL may be commonplace but recent studies indicate
3 out of 4 websites remain vulnerable to attack. Watchfire's "Addressing
Challenges in Application Security" whitepaper, explains what to do and
provides a guideline to improving your own application security. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fHF
------------------------------------------------------------------------
--



 




*************************************************************
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and do not
represent the opinion of the organisation. 
Access to this email by persons other than the intended
recipient is strictly prohibited.
If you are not the intended recipient, any disclosure, copying,
distribution or other action taken or omitted to be taken in
reliance on it, is prohibited and may be unlawful. 
When addressed to our clients any opinions or advice contained
in this email is subject to the terms and conditions expressed
in the applicable Portcullis Computer Security Limited terms
of business.
**************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ