[Owasp-testing] Addition to "Testing for logout functionality (OTG-SESS-006)"

andrew at ionize.com.au andrew at ionize.com.au
Tue Sep 16 11:20:35 UTC 2014

Hi Lode,

  Thanks for the contribution, but it is too late for v4. After a short hiatus, work will begin on v5 which will be published in 2016. We look forward to working with you and many others over the next 18 months.


For the record, the Testing Guide is undergoing the final touches by the book designer before it is uploaded to Lulu and is released as a published book. Shortly, we will make a formal announce upon its release. For those that have contributed to this project, you should be immensely proud. It represents an evolution of the global standard for security testing of web applications. 




From: owasp-testing-bounces at lists.owasp.org [mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Lode Vanstechelman
Sent: Tuesday, September 16, 2014 8:46 PM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] Addition to "Testing for logout functionality (OTG-SESS-006)"




I'm not sure if it can still be added to the TestingGuide v4, but I have added a paragraph to the "Testing for logout functionality (OTG-SESS-006)" page.

I find it important since the weakness described on this wiki page is present in all ASP.NET <http://ASP.NET>  versions when using Form Authentication, what is commonly used in web applications.

Therefore I think it would be good if it could still be added to v4.


For those interested: the weakness in ASP.NET <http://ASP.NET>  is standard textbook: on logout, the cookie in the browser is removed, but the cookie value can be reused to gain access to the authenticated session. See links [1] and [2] below.


Kind regards,



[1] "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET <http://ASP.NET>  applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111

[2] "Cookie replay attacks in ASP.NET <http://ASP.NET>  when using forms authentication" - http://goo.gl/b0Le1M

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20140916/6db72f58/attachment.html>

More information about the Owasp-testing mailing list