[Owasp-testing] Observations on the current Testing Guide (Part 2)

Safuat Hamdy safuat.hamdy at secorvo.de
Mon Jan 19 16:46:04 UTC 2015

This is Part 2 of my observations on OTG.

- AUTHN-004: Session ID Prediction is mostly identical to SESS-001:
Session ID Predictability and Randomness

- SESS-001: Session ID Predictability:
The requirements state "[...] Are Session IDs provably random? [...] Are
session IDs provably resistant to statistical or cryptanalysis? [...]"
Hang on - how is the tester supposed to verify that?! The claim that
something is provable is an extreme proposition. In essence, this
requires white box insight into the PRNG plus providing a formal proof
for the claim - something that (a) rules out black box tests at all and
(b) is most likely far beyond the average tester's capabilities.
The requirement should be reworded; for black-box tests anything far
beyond applying Burp's sequencer (or similar tools) to a sufficiently
large number of values is not realistic, and the expected outcome should
be that there is no obvious sign that a random value such as a session
ID has insufficient entropy.


There are 10 types of people - those who understand ternary,
those who confuse it with binary, and those who don't get it at all.

More information about the Owasp-testing mailing list