[Owasp-testing] Testing for logout functionality (OTG-SESS-006)

Simon owasp at 31337.it
Mon Dec 14 11:40:19 UTC 2015

On  2014-09-16 10:46:01, Lode Vanstechelman wrote:
> Hello,
> I'm not sure if it can still be added to the TestingGuide v4, but I have
> added a paragraph to the "Testing for logout functionality (OTG-SESS-006)"
> page.
> I find it important since the weakness described on this wiki page is
> present in all ASP.NET versions when using Form Authentication, what is
> commonly used in web applications.
> Therefore I think it would be good if it could still be added to v4.
> For those interested: the weakness in ASP.NET is standard textbook: on
> logout, the cookie in the browser is removed, but the cookie value can be
> reused to gain access to the authenticated session. See links [1] and [2]
> below.
> Kind regards,
> Lode
> [1] "The FormsAuthentication.SignOut method does not prevent cookie reply
> attacks in ASP.NET applications" -
> http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
> [2] "Cookie replay attacks in ASP.NET when using forms authentication" -
> http://goo.gl/b0Le1

Hello Lode and testing ML,

The cookie replay attack described here is only possible if an attacker
gets a hold of the cookie in first place, which is not possible if
- the cookie is transmitted over TLS
- the cookie is marked as secure
- the cookie is httpOnly

Keeping this paragraph worded like this in the testing guide makes every
web application that uses only cookies as a session store "insecure",
even when there are no vulnerabilities that would allow a theft of the
cookie. Using cookie-only session stores allows web application
developers to write highly scalable apps, and should in my opinion not
be ruled as insecure when they really are not.

I would propose to specify this at the end of this paragraph, or to
remove it entirely.

I would also propose to remove the paragraph "Testing for server-side
session termination"
If there is no session on the server side, it can not be terminated.


More information about the Owasp-testing mailing list