[OWASP-TESTING] Session Management Chapter for Part 2

Jeff Williams jeff.williams at aspectsecurity.com
Mon Mar 1 00:39:07 EST 2004

Here you go...

1) Figure out what cookie, url parameter, or hidden field the site is using
to maintain a session
2) Search the code for that name
3) Trace all uses of that back through any variables, methods, etc...
4) If you find any -- write it up and strongly recommend that they use the
one provided by their webserver or application server -- like JSESSIONID

If they come up with a good reason why they have to roll their own (and none
are coming to my mind real quickly), then you gotta check the code to be
sure that the sessionid is cryptographically random and long enough not to
be guessable, only used over SSL, times out, destroyed on logout, etc...


Jeff Williams
Aspect Security

----- Original Message ----- 
From: Mark Curphey
To: owasp-testing at lists.sourceforge.net
Sent: Saturday, February 28, 2004 10:20 AM
Subject: [OWASP-TESTING] Session Management Chapter for Part 2

Glyn, Any chance we can use the Chapter you wrote on Session Management
Testing as an appendix to Testing Part 1 to show readers what to expect
in Part 2 ?

Anyone volunteer to write a chapter a section on using Code Review to
test session Management that will compliment Glyns Chapter (which was
pen testing focused) ?

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel
781.738.0857 Cell
949.297.5575 Fax


This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you.

SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
owasp-testing mailing list
owasp-testing at lists.sourceforge.net

More information about the Owasp-testing mailing list