particular transitions are preferred, there is a likelihood that the algo-
rithm is flawed in some way.
■
Perform NIST FIPS-140-2 statistical tests, identifying any statistically
anomalous distribution of bits.
■
Check for correlations between arbitrary bits; a truly random token will
exhibit no correlation between the state of one bit and the state of
another.
■
These tests cannot be carried out effectively simply by visual inspection.
Of the publicly available tools, Stompy is most effective at carrying out
full-blown tests of randomness.
Weaknesses in Session Token Handling
No matter how effective an application is at ensuring that the session tokens it
generates do not contain any meaningful information and are not susceptible
to analysis or prediction, its session mechanism will be wide open to attack if
those tokens are not handled carefully after generation. For example, if tokens
are disclosed to an attacker via some means, then the attacker can hijack user
sessions even if predicting the tokens is impossible.
There are various ways in which an application’s unsafe handling of tokens
can make it vulnerable to attack.
Do'stlaringiz bilan baham: |