[Owasp-testing] Owasp-testing Digest, Vol 33, Issue 3

Matt Tesauro matt.tesauro at owasp.org
Tue Feb 23 08:59:23 EST 2010


Michael, 

I'd agree with your conclusion.  SM-001 is the best fit from a purely
session management perspective. 

You might also look at AT-007 "Testing for Logout and Browser Cache
Management"
http://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Management_%28OWASP-AT-007%29

This may also apply since the app likely should be removing your
authentication (that is logging you out) when the session has expired.

Have you determined what is causing the HTTP 302 (Redirect)?  Typically,
this is caused server side on the the request that occurs right after
session max time.   Please tell me its not some JavaScript code
implementing a timer that exists per page. ;)

Also, the method to redirect is occasionally vulnerable to attacks.
Something to look at anyway.

Hope that helps.

-- 
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Tue, 2010-02-23 at 07:00 -0500, owasp-testing-request at lists.owasp.org
wrote:
> Message: 1
> Date: Tue, 23 Feb 2010 11:58:29 +0000
> From: Michael Boman <michael.boman at omegapoint.se>
> Subject: [Owasp-testing] Session timeout failure - What ref. number?
> To: "owasp-testing at lists.owasp.org" <owasp-testing at lists.owasp.org>
> 
>  I came across a failure to properly timeout a session. The session
>  times out and I am re-directed to the login page, but by pressing
>  "back" on the browser got me into the application again which still
>  thought that I was logged in.
> 
> My question is what reference number that would be in OWASP testing
>  guide. I've been browsing through the guide but haven't been able to
>  pin-point the reference number as of yet.
> 
> Perhaps it belongs under OWASP-SM-001, but I am not sure.
> 
> Please advice.
> 
> Best regards
> Michael Boman




More information about the Owasp-testing mailing list