[OWASP-TESTING] Testing Guide structure and documents to do

Javier Fernandez-Sanguino jfernandez at germinus.com
Thu Mar 23 10:26:53 EST 2006

Glyn Geoghegan wrote:
> A lot of the session related stuff is in the doc I sent you a few  days 
> back, but it does need fresh eyes and some updates.

I'm willing to review that part as I've done extensive application 
review recently and we devoted some time to define how to test for 
proper session management.

Eoin, please notice that maybe the following should be included as 
'Completed' (or maybe pending review)

[ ... ]
·	Session token transport security and reuse of session tokens from HTTP 
to HTTPS []
·	Session hijacking [ ]
·	Session replay [ ]
·	Session manipulation [ ]
·	Inactivity timeout [ ]
·	Activity timeout [ ]
·	Expiration at logoff [ ]
·	Session token expiry [ ]



More information about the Owasp-testing mailing list