[Owasp-testing] Testing for logout functionality (OTG-SESS-006)
owasp at 31337.it
Mon Dec 14 11:40:19 UTC 2015
On 2014-09-16 10:46:01, Lode Vanstechelman wrote:
> I'm not sure if it can still be added to the TestingGuide v4, but I have
> added a paragraph to the "Testing for logout functionality (OTG-SESS-006)"
> I find it important since the weakness described on this wiki page is
> present in all ASP.NET versions when using Form Authentication, what is
> commonly used in web applications.
> Therefore I think it would be good if it could still be added to v4.
> For those interested: the weakness in ASP.NET is standard textbook: on
> logout, the cookie in the browser is removed, but the cookie value can be
> reused to gain access to the authenticated session. See links  and 
> Kind regards,
>  "The FormsAuthentication.SignOut method does not prevent cookie reply
> attacks in ASP.NET applications" -
>  "Cookie replay attacks in ASP.NET when using forms authentication" -
Hello Lode and testing ML,
The cookie replay attack described here is only possible if an attacker
gets a hold of the cookie in first place, which is not possible if
- the cookie is transmitted over TLS
- the cookie is marked as secure
- the cookie is httpOnly
Keeping this paragraph worded like this in the testing guide makes every
web application that uses only cookies as a session store "insecure",
even when there are no vulnerabilities that would allow a theft of the
cookie. Using cookie-only session stores allows web application
developers to write highly scalable apps, and should in my opinion not
be ruled as insecure when they really are not.
I would propose to specify this at the end of this paragraph, or to
remove it entirely.
I would also propose to remove the paragraph "Testing for server-side
If there is no session on the server side, it can not be terminated.
More information about the Owasp-testing