Michal Zalewski, an independent security researcher, announced the availability of Stompy, a free tool to perform a black-box assessment of Internet sessions IDs. While some session ID cookies generation algorithms are believed to be cryptographically secure, this is not the case for certain less-common enterprise web platforms.
“Some session ID cookie generation mechanisms are well-studied and well-documented, and believed to be cryptographically secure (example: Apache Tomcat, PHP, ASP.NET builtins). This is not necessarily so for certain less researched enterprise web platforms – and almost never so for custom solutions that are frequently implemented inside the web application itself,” says Zalewski.
Stompy is a tool to help penetration testers and security researchers reliably detecting anomalies that are not readily apparent at first-glance. Stompy gives security researchers the power to: find session IDs, run FIPS-140-2 PRNG evaluation tests, determine encoding and alphabet structures and more.
Although Zalewski says that tool cannot prove the correctness of the implementation, Stompy already revealed several new, potential weaknesses in web application platforms.