Questions
Answers can be found at http://mdsec.net/wahh.
- You log in to an application, and the server sets the following cookie:
Set-cookie: sessid=amltMjM6MTI0MToxMTk0ODcwODYz;
An hour later, you log in again and receive the following:
Set-cookie: sessid=amltMjM6MTI0MToxMTk0ODc1MTMy;
What can you deduce about these cookies?
- An application employs six-character alphanumeric session tokens and five-character alphanumeric passwords. Both are randomly generated according to an unpredictable algorithm. Which of these is likely to be the more worthwhile target for a brute-force guessing attack? List all the different factors that may be relevant to your decision.
- You log in to an application at the following URL:
https://foo.wahh-app.com/login/home.php
and the server sets the following cookie:
Set-cookie: sessionId=1498172056438227; domain=foo.wahh-app.com; path=/login; HttpOnly;
You then visit a range of other URLs. To which of the following will your browser submit the
sessionId...