[Owasp-testing] Addition to "Testing for logout functionality (OTG-SESS-006)"

Lode Vanstechelman lode at vanstechelman.eu
Tue Sep 16 10:46:01 UTC 2014


Hello,

I'm not sure if it can still be added to the TestingGuide v4, but I have
added a paragraph to the "Testing for logout functionality (OTG-SESS-006)"
page.
I find it important since the weakness described on this wiki page is
present in all ASP.NET versions when using Form Authentication, what is
commonly used in web applications.
Therefore I think it would be good if it could still be added to v4.

For those interested: the weakness in ASP.NET is standard textbook: on
logout, the cookie in the browser is removed, but the cookie value can be
reused to gain access to the authenticated session. See links [1] and [2]
below.

Kind regards,
Lode

[1] "The FormsAuthentication.SignOut method does not prevent cookie reply
attacks in ASP.NET applications" -
http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
[2] "Cookie replay attacks in ASP.NET when using forms authentication" -
http://goo.gl/b0Le1M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140916/a128ef9f/attachment.html>


More information about the Owasp-testing mailing list