Testing for logout functionality (OTG-SESS-006) - Revision history

D0ubl3 h3lix: /* How to Test */

2018-05-15T14:48:25Z

‎How to Test

D0ubl3 h3lix: /* How to Test */

2018-05-15T14:45:05Z

‎How to Test

D0ubl3 h3lix: Added sequence diagram for "testing server-side session termination"

2018-05-15T14:42:43Z

Added sequence diagram for "testing server-side session termination"

Nawwar: /* References */ fixing a link

2015-10-08T20:22:29Z

‎References: fixing a link

Lvsteche: /* References */

2014-09-16T10:37:15Z

‎References

Lvsteche: /* Summary */

2014-09-16T10:36:03Z

‎Summary

Andrew Muller: Andrew Muller moved page Testing for logout functionality (OTG-SESS-007) to Testing for logout functionality (OTG-SESS-006)

2014-08-08T11:57:55Z

Andrew Muller moved page Testing for logout functionality (OTG-SESS-007) to Testing for logout functionality (OTG-SESS-006)

Andrew Muller at 14:24, 31 July 2014

2014-07-31T14:24:42Z

Andrew Muller: Andrew Muller moved page Testing for logout functionality (OWASP-SM-007) to Testing for logout functionality (OTG-SESS-007): Align with Common Numbering

2014-07-31T14:23:26Z

Andrew Muller moved page Testing for logout functionality (OWASP-SM-007) to Testing for logout functionality (OTG-SESS-007): Align with Common Numbering

Jane O'Connor: Final edit

2014-05-17T17:08:48Z

Final edit

@@ Line 42: / Line 42: @@
 '''Testing for server-side session termination:'''<br>
 First, store the values of cookies that are used to identify a session. Invoke the log out function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page that is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the log out function causes session cookies to be set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application that are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.
 '''Result Expected:'''<br>

@@ Line 43: / Line 43: @@
 First, store the values of cookies that are used to identify a session. Invoke the log out function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page that is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the log out function causes session cookies to be set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application that are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.
-[[File:Scenario .jpg|thumb]]
+[[File:Scenario .jpg||frame|left]]
 '''Result Expected:'''<br>

@@ Line 43: / Line 43: @@
 First, store the values of cookies that are used to identify a session. Invoke the log out function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page that is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the log out function causes session cookies to be set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application that are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.
 '''Result Expected:'''<br>
@@ Line 65: / Line 66: @@
 '''Result Expected:'''<br>
 It is expected that the invocation of a log out function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after log out in the SSO system and connected application.
 ==Tools==

@@ Line 72: / Line 72: @@
 == References ==
 '''Whitepapers'''
-* "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
+* "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - https://support.microsoft.com/en-us/kb/900111
 * "Cookie replay attacks in ASP.NET when using forms authentication" - https://www.vanstechelman.eu/content/cookie-replay-attacks-in-aspnet-when-using-forms-authentication
 <br>

@@ Line 73: / Line 73: @@
 '''Whitepapers'''
 * "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 <br>

@@ Line 17: / Line 17: @@
 Another common mistake in session termination is that the client-side session token is set to a new value while the server-side state remains active and can be reused by setting the session cookie back to the previous value. Sometimes only a confirmation message is shown to the user without performing any further action. This should be avoided.
@@ Line 23: / Line 26: @@
 The usage of a single sign-on (SSO) system instead of an application-specific authentication scheme often causes the coexistence of multiple sessions which have to be terminated separately. For instance, the termination of the application-specific session does not terminate the session in the SSO system. Navigating back to the SSO portal offers the user the possibility to log back in to the application where the log out was performed just before. On the other side a log out function in a SSO system does not necessarily cause session termination in connected applications.
 == How to Test ==

← Older revision	Revision as of 11:57, 8 August 2014
(No difference)

@@ Line 2: / Line 2: @@
-== Brief Summary ==
+== Summary ==
 Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.
@@ Line 12: / Line 12: @@
 * Proper invalidation of server-side session state.
 There are multiple issues which can prevent the effective termination of a session. For the ideal secure web application, a user should be able to terminate at any time through the user interface. Every page should contain a log out button on a place where it is directly visible. Unclear or ambiguous log out functions could cause the user not trusting such functionality.
@@ Line 27: / Line 25: @@
-== Black Box Testing ==
+== How to Test ==
 '''Testing for log out user interface:'''<br>
 Verify the appearance and visibility of the log out functionality in the user interface. For this purpose, view each page from the perspective of a user who has the intention to log out from the web application.
@@ Line 66: / Line 64: @@
 It is expected that the invocation of a log out function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after log out in the SSO system and connected application.
 == References ==
@@ Line 71: / Line 72: @@
 * "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 <br>

← Older revision	Revision as of 14:23, 31 July 2014
(No difference)

@@ Line 3: / Line 3: @@
 == Brief Summary ==
-Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session token(s) decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.
+Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session tokens decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.
 A secure session termination requires at least the following components:
-* Availability of user interface controls for manual logouts performed by the user.
+* Availability of user interface controls that allow the user to manually log out.
 * Session termination after a given amount of time without activity (session timeout).
 * Proper invalidation of server-side session state.
 == Description of the Issue ==
-There are multiple issues which can prevent the effective termination of a session. For the ideal secure web application, a user should be able to terminate at any time through the user interface. Every page should contain a logout button on a place where it is directly visible. Unclear or ambiguous logout functions could cause the user not trusting such functionality.
+There are multiple issues which can prevent the effective termination of a session. For the ideal secure web application, a user should be able to terminate at any time through the user interface. Every page should contain a log out button on a place where it is directly visible. Unclear or ambiguous log out functions could cause the user not trusting such functionality.
 Users of web browsers often don't mind that an application is still open and just close the browser or a tab. A web application should be aware of this behavior and terminate the session automatically on the server-side after a defined amount of time.
-== Black Box testing and example ==
+The usage of a single sign-on (SSO) system instead of an application-specific authentication scheme often causes the coexistence of multiple sessions which have to be terminated separately. For instance, the termination of the application-specific session does not terminate the session in the SSO system. Navigating back to the SSO portal offers the user the possibility to log back in to the application where the log out was performed just before. On the other side a log out function in a SSO system does not necessarily cause session termination in connected applications.
-'''Testing for logout user interface:'''<br>
-Verify the appearance and visibility of the logout functionality in the user interface. For this purpose, view each page from the perspective of an user who has the intention to logout from the web application.
 '''Result Expected:'''<br>
-There are some properties which indicate a good logout user interface:
+There are some properties which indicate a good log out user interface:
-* A logout button is present on all pages of the web application.
+* A log out button is present on all pages of the web application.
-* The logout button should be identified quickly by an user which wants to logout from the web application.
+* The log out button should be identified quickly by a user who wants to log out from the web application.
-* After loading of a page the logout button should be visible without scrolling.
+* After loading a page the log out button should be visible without scrolling.
-* Ideally the logout button is placed in an area of the page, which is fixed in the view port of the browser and not affected by scrolling of the content.<br><br>
+* Ideally the log out button is placed in an area of the page that is fixed in the view port of the browser and not affected by scrolling of the content.
 '''Testing for server-side session termination:'''<br>
-First, store the values of cookies which are used to identify a session. Invoke the logout function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page which is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the logout function causes that session cookies are set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application which are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.
+First, store the values of cookies that are used to identify a session. Invoke the log out function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page that is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the log out function causes session cookies to be set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application that are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.
 '''Result Expected:'''<br>
-No data which should be visible only by authenticated users should be visible on the examined pages while performing the tests. Ideally the application redirects to a public area or a login form while accessing authenticated areas after termination of the session.
+No data that should be visible only by authenticated users should be visible on the examined pages while performing the tests. Ideally the application redirects to a public area or a log in form while accessing authenticated areas after termination of the session. It should be not necessary for the security of the application, but setting session cookies to new values after log out is generally considered as good practice.
 '''Testing for session timeout:'''<br>
-Try to determine a session timeout by performing requests to a page in the authenticated area of the web application with increasing delays. If the logout behavior appears, the used delay matches approximately the session timeout value.
+Try to determine a session timeout by performing requests to a page in the authenticated area of the web application with increasing delays. If the log out behavior appears, the used delay matches approximately the session timeout value.
 '''Result Expected:'''<br>
-The same results as for server-side session termination testing described before are excepted by a logout caused by an inactivity timeout.
+The same results as for server-side session termination testing described before are excepted by a log out caused by an inactivity timeout.
 '''Testing for session termination in single sign-on environments (single sign-off):'''<br>
-Perform a logout in the tested application. Verify if there is a central portal or application directory which allows the user to relogin to the application without authentication. Test if the application requests the user to authenticate, if the URL of an entry point to the application is requested.
+Perform a log out in the tested application. Verify if there is a central portal or application directory which allows the user to log back in to the application without authentication. Test if the application requests the user to authenticate, if the URL of an entry point to the application is requested. While logged in in the tested application, perform a log out in the SSO system. Then try to access an authenticated area of the tested application.
 '''Result Expected:'''<br>
-It is expected that the invocation of a logout function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after logout in the SSO system and connected application.<br><br>
+It is expected that the invocation of a log out function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after log out in the SSO system and connected application.
 == References ==
@@ Line 60: / Line 71: @@
 * "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 <br>
 '''Tools'''
 * "Burp Suite - Repeater" - http://portswigger.net/burp/repeater.html