[OWASP-TESTING] Testing Part 2 Outline - additions

Roshen Chandran roshen.chandran at paladion.net
Wed Jul 14 17:53:14 EDT 2004


A few more areas that we could add in the Testing Part 2 Outline are:

In the Authentication section:

1. Vulnerable Remember password implementation

Check for cases where the password itself is stored as a persistent 
cookie, or the token given assigned for remembering passwords is never 
reset and becomes as powerful as the password itself in plain text.

2. Weak "forgot password" implementations
Check for vulnerabilities like "weak hint question", "displaying 
original password to the user" and other design-level weaknesses

and in the Data Protection section:

3. Sensitive data in persistent cookies
Check for passwords, and other user sensitive information stored in 
persistent cookies

4. Sensitive data in URLs
Check for account information etc, turning up in the "History" of the 
browser even after the user has logged off.


-Roshen.





More information about the Owasp-testing mailing list