[Esapi-user] Unit Test to test Session Fixation

Jeff Williams jeff.williams at aspectsecurity.com
Sat Jan 16 15:49:03 EST 2010


This one in particular is very easy to write a test for. There's a  
page in the ESAPI SwingSet that rotates JSESSIONID on demand.  You  
could easily write a script to verify this behavior.  Overall I'd  
guess probably half of the features could be tested externally in this  
way.  Not that I subscribe to the theory frequently shouted by the  
scanner crowd that only externally facing controls are important by  
the way.

--Jeff

Jeff Williams
Aspect Security
work: 410-707-1487
main: 301-604-4882



On Jan 16, 2010, at 3:21 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> Dinis Cruz wrote:
>> In the Encryptor thread Jeff wrote:
>>
>>> Also should note that ESAPI automatically changes the sessionid upon
>>> login (or manually) to prevent fixation. In my experience very few
>>> applications do this properly.
>>
>> Is there a unit test to test from a servlet point of view and from  
>> an remote
>> client point of view?
>>
>> I.e. I am after a test that I can run on a app that is able to tell  
>> if that
>> app is vulnerable to session fixation, and if they are using EASPI,  
>> if they
>> have implemented it properly.
>>
>> In the past I've wrote a number of similar tests for an Spring MVC  
>> app I was
>> reviewing, I think I used HttpUnit, but for some tests maybe
>> SeleniumHQ<http://seleniumhq.org> is
>> a better option.
>
> Dinis,
>
> AFAIK, ESAPI (at least the Java version) has no such tests. All the  
> tests I've
> seen thus far are JUnit tests that directly test the pertinent Java  
> classes.
>
> However, it's clear that eventually, we are going to need such  
> external
> tests to ensure consistency across all the language implementations  
> of ESAPI.
> I know you've read the thread along a similar line about "TCK / ESTAPI
> toolkit" that John Steven posted to the ESAPI-Users. I should think  
> that it
> would follow from that, that at some point we would develop some  
> sort of
> external tests such as the one that you allude to. In fact, similar  
> subjects
> have come up once or twice before that, but little if any progress  
> has been
> made in that area.
>
> In the meantime, any pen testing tool that simply tests for session  
> fixation
> could be used in a "before" and "after" state. If no such test  
> exists, it should
> be fairly easy to cobble one together using Perl or using nc  
> (netcat) and bash.
> Metasploit may even have something pertinent, though I've not checked.
>
> HTH,
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts  
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> MIME
> _______________________________________________
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-user


More information about the Esapi-user mailing list