[Owasp-testing] Owasp-testing Digest, Vol 33, Issue 3

Calderon, Juan Carlos (GE, Corporate, consultant) juan.calderon at ge.com
Tue Feb 23 09:52:03 EST 2010


As Matt I hope it is not just JavaScript redirecting the user 

If you also have to refresh the page or are presented with a "you have
to resend post information" message then you might be facing an issue
with credentials being cached at browser, in that case you have to
implement a redirect-after-post to make the browser "forget" the
credentials

Regards,
Juan Carlos

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
Sent: Martes, 23 de Febrero de 2010 07:59 a.m.
To: owasp-testing at lists.owasp.org
Subject: Re: [Owasp-testing] Owasp-testing Digest, Vol 33, Issue 3

Michael, 

I'd agree with your conclusion.  SM-001 is the best fit from a purely
session management perspective. 

You might also look at AT-007 "Testing for Logout and Browser Cache
Management"
http://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Mana
gement_%28OWASP-AT-007%29

This may also apply since the app likely should be removing your
authentication (that is logging you out) when the session has expired.

Have you determined what is causing the HTTP 302 (Redirect)?  Typically,
this is caused server side on the the request that occurs right after
session max time.   Please tell me its not some JavaScript code
implementing a timer that exists per page. ;)

Also, the method to redirect is occasionally vulnerable to attacks.
Something to look at anyway.

Hope that helps.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Tue, 2010-02-23 at 07:00 -0500, owasp-testing-request at lists.owasp.org
wrote:
> Message: 1
> Date: Tue, 23 Feb 2010 11:58:29 +0000
> From: Michael Boman <michael.boman at omegapoint.se>
> Subject: [Owasp-testing] Session timeout failure - What ref. number?
> To: "owasp-testing at lists.owasp.org" <owasp-testing at lists.owasp.org>
> 
>  I came across a failure to properly timeout a session. The session
>  times out and I am re-directed to the login page, but by pressing
>  "back" on the browser got me into the application again which still
>  thought that I was logged in.
> 
> My question is what reference number that would be in OWASP testing
>  guide. I've been browsing through the guide but haven't been able to
>  pin-point the reference number as of yet.
> 
> Perhaps it belongs under OWASP-SM-001, but I am not sure.
> 
> Please advice.
> 
> Best regards
> Michael Boman


_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing


More information about the Owasp-testing mailing list