Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lesson, participants receive a demo of session ID Entropy Analysis. Using mutillidea to set the security level to 1 to allow anti CSRF tokens to be seen. Using the interceptor in Burp Suite, responses are forwarded in order to receive a CSRF token response. The sequencer allows the live capture of tokens and states a value. During a live capture, about 200 tokens are needed for a strong analysis to view the overall quality of randomness.

Video Transcription

00:04
Hello and welcome to the cyber. Very secure coding course.
00:08
My name is Sonny Wear, and this is a lost top 10 for 2013 8 cross site request forgery demo session I d entropy Analysis.
00:22
This is the demo for
00:25
session I d. Entropy analysis. What we're gonna do is use Mattila Day
00:31
and we're going to set the security level to level one.
00:35
This is higher than level zero levels. Level zero doesn't use any anti see serve tokens at all. And so we want at least set it to level one so that we can see some anti see serve tokens.
00:50
And the page we're gonna use to do our testing against is sea surf. Add to your vlog.
00:58
So the first thing I want to do is go ahead and turn on my interceptor in burbs. Sweet.
01:04
I'm gonna refresh the page.
01:08
And of course,
01:11
Auntie Si serve tokens are assigned in your application code. They're always assigned in the HDP response. So we need to forward.
01:21
And so this is our response. And so in that response, we find the sea serve token.
01:29
Looks like it has a value of four digits and they're all the same. So it doesn't look very random to me, but
01:36
let's go ahead and let Bert help us determine that
01:41
we're gonna send this to the sequencer
01:45
Now. In the sequence, sir. You're going to be able to start live captures of tokens so it will actually send multiple requests. Burp Sweet. Will send multiple requests to the application.
01:59
Ah, and then basically, grab those tokens and run them through some algorithms and determine just how random those tokens are
02:08
now. But before we do that, let's go ahead and set up some custom fields for burps we to look at.
02:20
So
02:21
we have here,
02:23
uh, I'm gonna just highlight the value.
02:28
And so it's captured values equal to.
02:34
So if we wanted to get more granular, we could actually put all of this content
02:39
to help burp to to find the anti seizure of token. Or you could just highlight the token if you didn't want to add the extra.
02:51
Okay, so that's set up.
02:53
So now all I need to do is go ahead and start the live capture.
03:00
Now you can see the number of requests being sent through.
03:04
You need to get about 200 tokens before you can really get a good analysis.
03:09
So we just hit that mark. Now let's go ahead and analyze.
03:15
And it says the overall quality of randomness within the sample is extremely poor,
03:21
and it's giving the amount of effective ENTRE P as being zero bits
03:27
now, just so you know, the standard is around 100 and 28 bits. That's kind of the de facto of having a strong or moderate
03:40
token strength, at least at this time. And so
03:45
this is obviously because there's just no level of randomness at all. We're getting zero bits, so we'll stop that.
03:54
So returning to our page, make sure your interceptors turned off for the moment in burbs. Sweet.
04:01
And we want to come back and go ahead and crank up the security level.
04:08
So just toggle security.
04:11
And that brings it up to a five. Okay, so now let's turn on our interceptor,
04:19
refresh our page
04:24
forward to get our response.
04:30
Look for our sea surf token.
04:33
Okay,
04:35
so this time it looks like we've got more randomness in this token.
04:41
Let's go ahead and send that over to the sequencer
04:47
and set up our custom location
05:00
okay
05:05
and go ahead and start our live capture.
05:20
You were almost up to the 200 mark.
05:26
So we just hit the 200 mark. Let's go ahead and analyze.
05:30
All right. So it says now that the overall quality of randomness is excellent
05:39
and that we have an effective entropy
05:42
of 141 bits. So that even goes beyond the 128 bits that I mentioned as being the defective. So this is very, very good.
05:56
Now if we were to go back and look again at the tokens that were generated at Level one, what you would notice is that the tokens are all the same. So
06:10
there's no unique
06:13
anti suits see surf token that's being generated per request for each user. And, of course, that can lead to our session fixation and basically the ineffectiveness or making the use of any cease of tokens completely inert.
06:30
So hopefully this has been helpful in
06:33
helping you to determine just how random your Auntie Si serve tokens are in your Web application.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor