[WEB SECURITY] security of GUID
Chris Weber
chris at lookout.net
Thu Dec 7 13:59:09 EST 2006
GUID's are commonly used as session id's. Where security is a concern,
they're often tied to other values such as encrypted tamper-proof cookies,
or even some sort of encrypted state tracking value. Yes GUID's are
considered random enough, but you need to qualify how you plan on using
them. For example, if you pass the session identifier in the URL then
you've just jeapordized it, and if you don't tie it to another strong value
such as the cookie, then you haven't raised the bar. Replay attacks, MITM,
and most other web related attacks fall outside the scope of session
hijacking but you likely know that already.
-----Original Message-----
From: Noon Tar [mailto:noontar at gmail.com]
Sent: Thursday, December 07, 2006 5:20 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] security of GUID
How random are the GUIDs generated by Windows APIs?
Are they random enough to be used for things like session identifiers?
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list