Hello and welcome to the cyber. Very secure coding course.
My name is Sonny Wear, and this is a lost top 10 for 2013 8 cross site request forgery demo session I d entropy Analysis.
This is the demo for
session I d. Entropy analysis. What we're gonna do is use Mattila Day
and we're going to set the security level to level one.
This is higher than level zero levels. Level zero doesn't use any anti see serve tokens at all. And so we want at least set it to level one so that we can see some anti see serve tokens.
And the page we're gonna use to do our testing against is sea surf. Add to your vlog.
So the first thing I want to do is go ahead and turn on my interceptor in burbs. Sweet.
I'm gonna refresh the page.
Auntie Si serve tokens are assigned in your application code. They're always assigned in the HDP response. So we need to forward.
And so this is our response. And so in that response, we find the sea serve token.
Looks like it has a value of four digits and they're all the same. So it doesn't look very random to me, but
let's go ahead and let Bert help us determine that
we're gonna send this to the sequencer
Now. In the sequence, sir. You're going to be able to start live captures of tokens so it will actually send multiple requests. Burp Sweet. Will send multiple requests to the application.
Ah, and then basically, grab those tokens and run them through some algorithms and determine just how random those tokens are
now. But before we do that, let's go ahead and set up some custom fields for burps we to look at.
uh, I'm gonna just highlight the value.
And so it's captured values equal to.
So if we wanted to get more granular, we could actually put all of this content
to help burp to to find the anti seizure of token. Or you could just highlight the token if you didn't want to add the extra.
Okay, so that's set up.
So now all I need to do is go ahead and start the live capture.
Now you can see the number of requests being sent through.
You need to get about 200 tokens before you can really get a good analysis.
So we just hit that mark. Now let's go ahead and analyze.
And it says the overall quality of randomness within the sample is extremely poor,
and it's giving the amount of effective ENTRE P as being zero bits
now, just so you know, the standard is around 100 and 28 bits. That's kind of the de facto of having a strong or moderate
token strength, at least at this time. And so
this is obviously because there's just no level of randomness at all. We're getting zero bits, so we'll stop that.
So returning to our page, make sure your interceptors turned off for the moment in burbs. Sweet.
And we want to come back and go ahead and crank up the security level.
So just toggle security.
And that brings it up to a five. Okay, so now let's turn on our interceptor,
forward to get our response.
Look for our sea surf token.
so this time it looks like we've got more randomness in this token.
Let's go ahead and send that over to the sequencer
and set up our custom location
and go ahead and start our live capture.
You were almost up to the 200 mark.
So we just hit the 200 mark. Let's go ahead and analyze.
All right. So it says now that the overall quality of randomness is excellent
and that we have an effective entropy
of 141 bits. So that even goes beyond the 128 bits that I mentioned as being the defective. So this is very, very good.
Now if we were to go back and look again at the tokens that were generated at Level one, what you would notice is that the tokens are all the same. So
anti suits see surf token that's being generated per request for each user. And, of course, that can lead to our session fixation and basically the ineffectiveness or making the use of any cease of tokens completely inert.
So hopefully this has been helpful in
helping you to determine just how random your Auntie Si serve tokens are in your Web application.