This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Session Management"

From OWASP
Jump to: navigation, search
(Session Management Testing)
 
(39 intermediate revisions by 8 users not shown)
Line 1: Line 1:
=== Session Management Testing ===
+
{{Template:OWASP Testing Guide v4}}
 +
 
 +
''' 4.7 Session Management Testing'''
 
----
 
----
  
At the core of any web-based application is the way in which it maintains state and thereby controls user-interaction with the site. Session Management broadly covers all controls on a user from authentication to leaving the application.
+
One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.  
HTTP is a stateless protocol, meaning web servers respond to client requests without linking them to each other.  Even simple application logic requires a user's multiple requests to be associated with each other across a "session”.  This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web-server solutions, or bespoke developer implementations.  Most popular web application environments, such as ASP and PHP, provide developers with built in session handling routines. Some kind of identification token will typically be issued, which will be referred to as “Session IDs” or Cookies.
+
 
 +
 
 +
HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other.  Even simple application logic requires a user's multiple requests to be associated with each other across a "session”.  This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations.  Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.
 +
<br>
 +
 
 +
 
 +
There are a number of ways in which a web application may interact with a user. Each is dependent upon the nature of the site, the security, and availability requirements of the application. Whilst there are accepted best practices for application development, such as those outlined in the [[OWASP Guide Project|OWASP Guide to Building Secure Web Applications]], it is important that application security is considered within the context of the provider’s requirements and expectations.
 +
 
 +
 
 +
This chapter covers the following topics:
 
<br>
 
<br>
There are a number of ways a web-application may interact with a user.  Each is dependant upon the nature of the site, the security and availability requirements of the application.
 
Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter is described how to analyse a Session Management Schema and how to test the secuiry of session Token issued to the Client. Then is described how to test for Session Riding and HTTP Exploit.
 
  
[[ Analysis of the Session Management Schema AoC| 4.5.1 Analysis of the Session Management Schema]]<br>
+
[[Testing for Session_Management_Schema (OTG-SESS-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]  
[[ Cookie and Session Token Manipulation AoC|4.5.1 Cookie and Session Token Manipulation]]<br>
+
 
[[ Weak Session Tokens AoC|4.5.2 Weak Session Tokens (TO ELIMINATE) ]]<br>
+
[[Testing for cookies attributes  (OTG-SESS-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]  
[[ Exposed Session Variables AoC|4.5.2 Exposed Session Variables ]]<br>
+
 
[[ Session Riding AoC|4.5.3 Session Riding ]]<br>
+
[[Testing for Session Fixation  (OTG-SESS-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]  
[[ HTTP Exploit AoC|4.5.4 HTTP Exploit ]]<br>
+
 
 +
[[Testing for Exposed Session Variables (OTG-SESS-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]  
 +
 
 +
[[Testing for CSRF  (OTG-SESS-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]
 +
 
 +
[[Testing for logout functionality (OTG-SESS-006)|4.7.6 Testing for logout functionality (OTG-SESS-006)]]  
 +
 
 +
[[Test Session Timeout (OTG-SESS-007)|4.7.7 Test Session Timeout (OTG-SESS-007)]]
  
[[OWASP Testing Guide v2 Table of Contents]]
+
[[Testing for Session puzzling (OTG-SESS-008)|4.7.8 Testing for Session puzzling (OTG-SESS-008)]]

Latest revision as of 12:28, 8 August 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project


4.7 Session Management Testing


One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. This is referred to this as Session Management and is defined as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.


HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other. Even simple application logic requires a user's multiple requests to be associated with each other across a "session”. This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations. Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.


There are a number of ways in which a web application may interact with a user. Each is dependent upon the nature of the site, the security, and availability requirements of the application. Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations.


This chapter covers the following topics:

4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)

4.7.2 Testing for Cookies attributes (OTG-SESS-002)

4.7.3 Testing for Session Fixation (OTG-SESS-003)

4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)

4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)

4.7.6 Testing for logout functionality (OTG-SESS-006)

4.7.7 Test Session Timeout (OTG-SESS-007)

4.7.8 Testing for Session puzzling (OTG-SESS-008)