Stompy is a fairly advanced entropy verifier for session cookies, XSRF tokens, OTPs, and other random data. It goes well beyond FIPS-140-2, performing n-dimensional spectral testing as well.
What's so cool about stompy?
Stompy aims to be a quick and mostly automated tool to provide a first line of
assessment and reliably detect common anomalies that are not readily apparent
at a cursory glance.
To achieve this, it:
- Automatically detects session IDs encoded as URLs, cookies, as well as as
form inputs, then collects a statistially significant sample of data
without any user interaction (but can also accept preformated data from
- Automatically determines alphabet structure to transparently handle base64,
uuencode, base32, decimal, hex, or any other sane encoding scheme, including
mixed encodings. What's big is that it can handle fractional-bit alphabets
(ones that do not consist of power-of-2 elements), which normally cannot be
directly mapped to binary,
- After carrying out a couple of trivial alphabet-based tests, stompy then
splits the samples into temporally separated bitstreams (stream 1: bit 0 of
sample 1, bit 0 of sample 2, bit 0 of sample 3...; stream 2: bit 1 of
sample 1, bit 1 of sample 2, bit...) to individually evaluate how bits change
in time, and how much entropy they contribute to the identifier.
- To detect weaknesses in each of the bitstreams, the tool launches NIST
FIPS-140-2 PRNG evaluation tests on the collected data, as well as a bunch of
n-dimensional phase analysis attempts (spectral tests) aimed to find PRNG
hyperplanes and other types of non-trivial data correlation.
- Lastly, the tool performs series of spatial correlation checks to identify
dependencies between neighboring bits in each of the tokens,
- A final report on the number of correct and anomalous bits is then prepared,
and an estimate on the number of "untainted" entropy is assigned a
How to install/compile stompy in BackTrack 4, BackTrack 5, Debian, ...
First install an additional library, then download and compile stompy
tar -xzf stompy.tgz
How to run stompy?
To run the program against a website, you can invoke it this way:
... or ...
To test a text file that contains raw tokens obtained by some other means
(one per line), do this: