Stompy 0.04

Stompy provides a tool to check the security of Web session IDs and other tokens.

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!
send us
an update
LGPL (GNU Lesser General Public License) 
Michal Zalewski
ROOT \ Internet \ HTTP (WWW)
Stompy provides a tool to check the security of Web session IDs and other tokens.

Stompy the session stomper is a penetration testing tool that performs an automated analysis and runs an array of fairly sophisticated tests on WWW session identifiers (or any other tokens) to see whether they are reasonably unpredictable or vulnerable to attacks.

Session IDs and similar secret values shared between client and server are commonly used to track authenticated users or validate certain actions in stateless environments (not limited to the Internet: prepaid mobile recharge vouchers are a good example), and as such, whenever they're predictable or simply have a non-negligible chance of being guessed by trial and error, we do have a problem.

Some of such mechanisms, particularly in relation to the Web, are well-studied and well-documented, and believed to be cryptographically secure (for example: Apache Tomcat, PHP, ASP.NET built-in session identifiers).

This is not necessarily so for various less-researcher enterprise platforms, and almost never so for custom solutions implemented in-house for a particular application. This is no better for other types of closed-source token generation systems that need to be quickly assessed for most obvious vulnerabilities before deployment.

What's New in This Release:

Added more explicit explanations of certain results,
Added fault bitmap reporting,
Emphasized the ability to use stompy for non-WWW applications,
Added raw file support,
Replaced environmental variables with command-line options,
Dropped non-GMP compilation target.
Added the ability to issue custom requests from file,
Added spatial correlation detection,
Added SSL support,
Moved testcases to test/
[BUG] Fixed transition checking
[BUG] Fixed some variable token length testing bugs
[BUG] Fixed minor reporting errors
[BUG] Fixed a problem with SEGV on replay on some platforms

Last updated on March 1st, 2007

#session stomper #penetration tool #automated analysis #Stompy #session #stomper #penetration

Add your review!