[OWASP-TESTING] Testing Guide structure and documents to do
Javier Fernandez-Sanguino
jfernandez at germinus.com
Thu Mar 23 10:26:53 EST 2006
Glyn Geoghegan wrote:
> A lot of the session related stuff is in the doc I sent you a few days
> back, but it does need fresh eyes and some updates.
I'm willing to review that part as I've done extensive application
review recently and we devoted some time to define how to test for
proper session management.
Eoin, please notice that maybe the following should be included as
'Completed' (or maybe pending review)
Authentication
[ ... ]
· Session token transport security and reuse of session tokens from HTTP
to HTTPS []
· Session hijacking [ ]
· Session replay [ ]
· Session manipulation [ ]
· Inactivity timeout [ ]
· Activity timeout [ ]
· Expiration at logoff [ ]
· Session token expiry [ ]
Regards
Javier
More information about the Owasp-testing
mailing list