Fwd: [OWASP-TESTING] OWASP Testing - Authentication

Matteo Meucci matteo.meucci at gmail.com
Thu Sep 1 14:08:00 EDT 2005


Excuse me...*.Zip dropped.
I Resend in doc format.

Mat

---------- Forwarded message ----------
From: Matteo Meucci <matteo.meucci at gmail.com>
Date: Sep 1, 2005 8:06 PM
Subject: Re: [OWASP-TESTING] OWASP Testing - Authentication
To: owasp-testing at lists.sourceforge.net


As Alberto has already pointed out some weeks ago, some paragraph are
overlapping.
So I suggest the paragraph 2.2 "Weak Session Tokens" should have a
reference to the paragraph "Cookie Manipulating" in chapter "Parameter
Manipulation".

I think also the paragraphs:
• Session token transport security and reuse of session tokens from
HTTP to HTTPS []
• Session hijacking [ ]
• Session replay [ ]
• Session manipulation [ ]
• Inactivity timeout [ ]
• Activity timeout [ ]
• Expiration at logoff [ ]
• Session token expiry
located in the "Authentication" chapter should do the same.

What do you think?
Mat

P.s: I resend to you the paragraph "Cookie Manipulating", in zip format.


On 8/31/05, Irene Abezgauz <irene.abezgauz at gmail.com> wrote:
>
>
>
>
> Hey All,
>
>
>
> Attached is my contribution to the testing guide. Reviews and comments are
> welcome and always appreciated.
>
>
>
> Irene
>
>
>
> -------------------
>
> Irene Abezgauz
>
> Application Security Consultant
>
> Hacktics Ltd.
>
> Mobile: +972-54-6545405
>
> Web: www.hacktics.com
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/85 - Release Date: 8/30/2005
>
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.344 / Virus Database: 267.10.17/85 - Release Date: 8/30/2005
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Parameter Manipulation - Cookie manipulating - v1.doc
Type: application/msword
Size: 112640 bytes
Desc: not available
Url : http://lists.owasp.org/pipermail/owasp-testing/attachments/20050901/4eb10ce5/attachment.doc 


More information about the Owasp-testing mailing list