[Owasp-delhi] Session Related Issues

John, Arun (HP Software) arun.john at hp.com
Wed Feb 18 03:02:40 EST 2009


Hi Paramendra,

Obviously these queries are on two line … one for session keep alive from tools and other from a pwd cracking/brute force.


1.       I guess threads is not the way to get this issue cleared. The session time out may not be the only issue. It could also be that the session gets terminated to unforeseen issues (eg. Load)

2.       In WebInspect, the same is handled using a logout signature verification … as an when the tool receives a logout signature (regex based … eg. [status] 302 AND [all] login.aspx) the tool resubmits the login info form.

Hope this clarifies. I am a tech cons with HP on WI and hence I would be able to give you the perspective from our tools only.

Regards
John
From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma
Sent: Monday, February 16, 2009 10:33 AM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] Session Related Issues

Dear OWASP Members,

Please put some light on the following points:

-> While scanning a website using a tool to find out the possible vulnerabilities...what happens if the Session Time is short for an application. To overcome this problem should we increase the number of threads used by the scanner for faster scanning......but it will also increase the load on the server.

-> While using some Authentication testing tools such as Web Brute (Webinspect), Brutus .....How does these tools works with an application having a short Session timeout as cracking passwords took a lot of time depending upon the strength of the password.

--
Thanks and Regards:

Parmendra Sharma
Indian Computer Emergency Response Team (CERT-In)
Ministry of Information Technology
Government of India
6 C.G.O Complex
Lodhi Road
New Delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090218/2f07f6c6/attachment.html 


More information about the Owasp-delhi mailing list