This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Testing for Session Management Schema (OTG-SESS-001)

From OWASP
Revision as of 14:51, 2 November 2006 by Mmeucci (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OWASP Testing Guide v2 Table of Contents

Brief Summary


..here: we describe in "natural language" what we want to test.

Description of the Issue


The session management schema should be considered alongside the authentication and authorisation schema, and cover at least the questions below from a non technical point of view: Will the application be accessed from shared systems? e.g. Internet Café
Is application security of prime concern to the visiting client/customer?
How many concurrent sessions may a user have?
How long is the inactive timeout on the application?
How long is the active timeout?
Are sessions transferable from one source IP to another?
Is ‘remember my username’ functionality provided?
Is ‘automatic login’ functionality provided?

Having identified the schema in place, the application and its logic must be examined to confirm proper implementation of the schema. This phase of testing is intrinsically linked with general application security testing. Whilst the first Schema questions (is the schema suitable for the site and does the schema meet the application provider’s requirements?) can be analysed in abstract, the final question (Does the site implement the specified schema?) must be considered alongside other technical testing.


The identified schema should be analysed against best practice within the context of the site during our penetration test. Where the defined schema deviates from security best practice, the associated risks should be identified and described within the context of the environment. Security risks and issues should be detailed and quantified, but ultimately, the application provider must make decisions based on the security and usability of the application. For example, if it is determined that the site has been designed without inactive session timeouts the application provider should be advised about risks such as replay attacks, long-term attacks based on stolen or compromised Session IDs and abuse of a shared terminal where the application wasn’t logged out. They must then consider these against other requirements such as convenience of use for clients and disruption of the application by forced re-authentication.

Black Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...

OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents 

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
Retrieved from "https://wiki.owasp.org/index.php?title=Testing_for_Session_Management_Schema_(OTG-SESS-001)&oldid=11429"