[Esapi-user] Unit Test to test Session Fixation

Kevin W. Wall kevin.w.wall at gmail.com
Sat Jan 16 15:18:31 EST 2010


Dinis Cruz wrote:
> In the Encryptor thread Jeff wrote:
> 
>> Also should note that ESAPI automatically changes the sessionid upon
>> login (or manually) to prevent fixation. In my experience very few
>> applications do this properly.
> 
> Is there a unit test to test from a servlet point of view and from an remote
> client point of view?
> 
> I.e. I am after a test that I can run on a app that is able to tell if that
> app is vulnerable to session fixation, and if they are using EASPI, if they
> have implemented it properly.
> 
> In the past I've wrote a number of similar tests for an Spring MVC app I was
> reviewing, I think I used HttpUnit, but for some tests maybe
> SeleniumHQ<http://seleniumhq.org> is
> a better option.

Dinis,

AFAIK, ESAPI (at least the Java version) has no such tests. All the tests I've
seen thus far are JUnit tests that directly test the pertinent Java classes.

However, it's clear that eventually, we are going to need such external
tests to ensure consistency across all the language implementations of ESAPI.
I know you've read the thread along a similar line about "TCK / ESTAPI
toolkit" that John Steven posted to the ESAPI-Users. I should think that it
would follow from that, that at some point we would develop some sort of
external tests such as the one that you allude to. In fact, similar subjects
have come up once or twice before that, but little if any progress has been
made in that area.

In the meantime, any pen testing tool that simply tests for session fixation
could be used in a "before" and "after" state. If no such test exists, it should
be fairly easy to cobble one together using Perl or using nc (netcat) and bash.
Metasploit may even have something pertinent, though I've not checked.

HTH,
-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list