This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Testing for Bypassing Authentication Schema (OTG-AUTHN-004)

Jump to: navigation, search

Can't seem to delete sections 4. It is redundant. Also, there is a mispelling of the word Authentication in the image.

Direct page request image

Is it possible to replace the image below Direct Page Request with one that is more intuitive? I'm not exactly sure what the intent of that image was.

Why is it possible to restrict brute force when cookie id goes symmetrically?

In Session ID Prediction, document says that "In the following figure, values inside cookies change only partially, so it's possible to restrict a brute force attack to the defined fields shown below." whereas, Session ID goes very symmetrically in some part, so it is possible to guess what a sequenced valid cookie is. First part of the Session ID increases 1 by 1; second part of the Session id increases almost 10 by 10. Am I right?