[Esapi-user] Unit Test to test Session Fixation

Dinis Cruz dinis.cruz at googlemail.com
Sat Jan 16 13:19:02 EST 2010


In the Encryptor thread Jeff wrote:

> Also should note that ESAPI automatically changes the sessionid upon
> login (or manually) to prevent fixation. In my experience very few
> applications do this properly.

Is there a unit test to test from a servlet point of view and from an remote
client point of view?

I.e. I am after a test that I can run on a app that is able to tell if that
app is vulnerable to session fixation, and if they are using EASPI, if they
have implemented it properly.

In the past I've wrote a number of similar tests for an Spring MVC app I was
reviewing, I think I used HttpUnit, but for some tests maybe
SeleniumHQ<http://seleniumhq.org> is
a better option.

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/15548615/attachment.html 


More information about the Esapi-user mailing list