Testing for Session Management - Revision history

Andrew Muller at 12:28, 8 August 2014

2014-08-08T12:28:40Z

Jane O'Connor: Final edit

2014-05-14T19:24:35Z

Final edit

Yiannis: Testing Guide V4: Review_v1

2014-03-14T00:44:01Z

Testing Guide V4: Review_v1

Davide Danelon at 17:13, 7 March 2014

2014-03-07T17:13:12Z

Mmeucci at 14:48, 9 October 2012

2012-10-09T14:48:59Z

Anant Shrivastava: correcting seq number

2010-11-18T22:11:10Z

correcting seq number

KirstenS at 13:16, 5 February 2009

2009-02-05T13:16:55Z

KirstenS at 22:44, 15 December 2008

2008-12-15T22:44:15Z

KirstenS at 17:24, 7 December 2008

2008-12-07T17:24:20Z

KirstenS at 17:24, 7 December 2008

2008-12-07T17:24:02Z

@@ Line 17: / Line 17: @@
 <br>
-[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]
+[[Testing for Session_Management_Schema (OTG-SESS-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]
-[[Testing for cookies attributes  (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]
+[[Testing for cookies attributes  (OTG-SESS-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]
-[[Testing for Session Fixation  (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]
+[[Testing for Session Fixation  (OTG-SESS-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]
-[[Testing for Exposed Session Variables  (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]
+[[Testing for Exposed Session Variables  (OTG-SESS-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]
-[[Testing for CSRF  (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
+[[Testing for CSRF  (OTG-SESS-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
-[[Testing for logout functionality (OWASP-SM-007)|4.7.6 Testing for logout functionality (OTG-SESS-007)]]
+[[Testing for logout functionality (OTG-SESS-006)|4.7.6 Testing for logout functionality (OTG-SESS-006)]]
-[[Test Session Timeout (OTG-SESS-008)|4.7.7 Test Session Timeout (OTG-SESS-008)]]
+[[Test Session Timeout (OTG-SESS-007)|4.7.7 Test Session Timeout (OTG-SESS-007)]]
-[[Testing for Session puzzling (OTG-SESS-010)|4.7.8 Testing for Session puzzling (OTG-SESS-010)]]
+[[Testing for Session puzzling (OTG-SESS-008)|4.7.8 Testing for Session puzzling (OTG-SESS-008)]]

@@ Line 1: / Line 1: @@
 {{Template:OWASP Testing Guide v4}}
-''' 4.5 Session Management Testing'''
+''' 4.7 Session Management Testing'''
 ----
-One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. We refer to this as Session Management and define it as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.
+One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.
 HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other.  Even simple application logic requires a user's multiple requests to be associated with each other across a "session”.  This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations.  Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.
 <br>
 There are a number of ways in which a web application may interact with a user.  Each is dependent upon the nature of the site, the security, and availability requirements of the application.
-Whilst there are accepted best practices for application development, such as those outlined in the [[OWASP Guide Project|OWASP Guide to Building Secure Web Applications]], it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.<br>
 [[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]

@@ Line 4: / Line 4: @@
 ----
-At the core of any web-based application is the way in which it maintains state and thereby controls user-interaction with the site.  Session Management broadly covers all controls on a user from authentication to leaving the application.
+One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. We refer to this as Session Management and define it as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.
 HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other.  Even simple application logic requires a user's multiple requests to be associated with each other across a "session”.  This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations.  Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.
 <br>

@@ Line 10: / Line 10: @@
 Whilst there are accepted best practices for application development, such as those outlined in the [[OWASP Guide Project|OWASP Guide to Building Secure Web Applications]], it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.<br>
-[[Testing for Session_Management_Schema  (OWASP-SM-001)|4.5.1 Testing for Session Management Schema (OWASP-SM-001)]]<br>
+[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]
-This describes how to analyse a Session Management Schema, with the goal to understand how the Session Management mechanism has been developed and if it is possible to break it to bypass the user session. It explains how to test the security of session tokens issued to the client's browser: how to reverse engineer a cookie, and how to manipulate cookies to hijack a session.<br>
-[[Testing for cookies attributes (OWASP-SM-002)|4.5.2 Testing for Cookies attributes (OWASP-SM-002)]]<br>
+[[Testing for cookies attributes  (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]
-Cookies are often a key attack vector for malicious users (typically, targeting other users) and, as such, the application should always take due diligence to protect cookies. In this section, we will look at how an application can take the necessary precautions when assigning cookies and how to test that these attributes have been correctly configured.<br>
-[[Testing for Session Fixation  (OWASP-SM-003)|4.5.3 Testing for Session Fixation  (OWASP-SM-003)]]<br>
+[[Testing for Session Fixation  (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]
-When an application does not renew the cookie after a successful user authentication, it could be possible to find a session fixation vulnerability and force a user to utilize a cookie known to the attacker.<br>
-[[Testing for Exposed Session Variables   (OWASP-SM-004)|4.5.4 Testing for Exposed Session Variables   (OWASP-SM-004)]]<br>
+[[Testing for Exposed Session Variables  (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]
-Session Tokens represent confidential information because they tie the user identity with his own session. It's possible to test if the session token is exposed to this vulnerability and try to create a replay session attack.
-<br>
+[[Testing for CSRF  (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
-[[Testing for CSRF  (OWASP-SM-005)|4.5.5 Testing for CSRF (OWASP-SM-005)]]<br>
-Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.<br>
+[[Testing for logout functionality (OWASP-SM-007)|4.7.6 Testing for logout functionality (OTG-SESS-007)]]

← Older revision		Revision as of 14:48, 9 October 2012
Line 1:		Line 1:
−	{{Template:OWASP Testing Guide v3}}	+	{{Template:OWASP Testing Guide v4}}

	''' 4.5 Session Management Testing'''		''' 4.5 Session Management Testing'''

← Older revision		Revision as of 22:44, 15 December 2008
Line 21:		Line 21:
	[[Testing for CSRF (OWASP-SM-005)\|4.7.5 Testing for CSRF (OWASP-SM-005)]]<br>		[[Testing for CSRF (OWASP-SM-005)\|4.7.5 Testing for CSRF (OWASP-SM-005)]]<br>
	Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.<br>		Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.<br>
−	~~[[Testing for HTTP Exploit (OWASP-SM-006)\|4.7.6 Testing for HTTP Exploit (OWASP-SM-006)]]<br>~~
−	~~Describes how to test for an HTTP Exploit, as HTTP Verb, HTTP Splitting, HTTP Smuggling.<br><br>~~

@@ Line 21: / Line 21: @@
 [[Testing for CSRF  (OWASP-SM-005)|4.7.5 Testing for CSRF (OWASP-SM-005)]]<br>
 Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.<br>
-[[Testing for HTTP Exploit  (OWASP-SM-006)|4.7.6 Testing for HTTP Exploit ]]<br>
+[[Testing for HTTP Exploit  (OWASP-SM-006)|4.7.6 Testing for HTTP Exploit  (OWASP-SM-006)]]<br>
 Describes how to test for an HTTP Exploit, as HTTP Verb, HTTP Splitting, HTTP Smuggling.<br><br>