[Owasp-delhi] Session Related Issue

Tarun Dua tarundua at gmail.com
Tue Feb 17 02:32:01 EST 2009


On Tue, Feb 17, 2009 at 8:56 AM, Parmendra Sharma <s.parmendra at gmail.com> wrote:

> -> While scanning a website using a tool to find out the possible
> vulnerabilities...what happens if the Session Time is short for an
> application. To overcome this problem should we increase the number of
> threads used by the scanner for faster scanning......but it will also
> increase the load on the server.
what prevents you from scripting a re-authentication on the login
request page again. Now, I haven't seen an application where there is
a strict timeout even if there is someone actively using it.  Session
timeout happens due to in-activity, i.e. no action from user.

> -> While using some Authentication testing tools such as Web Brute
> (Webinspect), Brutus .....How does these tools works with an application
> having a short Session timeout as cracking passwords took a lot of time
> depending upon the strength of the password.

What exactly does this achieve for securing the application ?

http://xkcd.com/538/

Your application passwords are more likely to be compromised due to
bad policies and un-educated users rather than a brute force. However
if you really want to brute force a web-accessible password, you would
need to run a botnet from 1000s of different IP addresses and try a
distributed crack.

-Tarun


More information about the Owasp-delhi mailing list