[Owasp-testing] Testing for logout functionality (OTG-SESS-006)

Christer christer at swedakonsult.com
Mon Dec 14 15:20:09 UTC 2015

On Dec 14, 2015, at 03:40, Simon <owasp at 31337.it <mailto:owasp at 31337.it>> wrote:
> On  2014-09-16 10:46:01, Lode Vanstechelman wrote:
>> Hello,
>> I'm not sure if it can still be added to the TestingGuide v4, but I have
>> added a paragraph to the "Testing for logout functionality (OTG-SESS-006)"
>> page.
>> I find it important since the weakness described on this wiki page is
>> present in all ASP.NET <http://asp.net/> versions when using Form Authentication, what is
>> commonly used in web applications.
>> Therefore I think it would be good if it could still be added to v4.
>> For those interested: the weakness in ASP.NET <http://asp.net/> is standard textbook: on
>> logout, the cookie in the browser is removed, but the cookie value can be
>> reused to gain access to the authenticated session. See links [1] and [2]
>> below.
>> Kind regards,
>> Lode
>> [1] "The FormsAuthentication.SignOut method does not prevent cookie reply
>> attacks in ASP.NET <http://asp.net/> applications" -
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;900111 <http://support.microsoft.com/default.aspx?scid=kb;en-us;900111>
>> [2] "Cookie replay attacks in ASP.NET when using forms authentication" -
>> http://goo.gl/b0Le1
> Hello Lode and testing ML,
> The cookie replay attack described here is only possible if an attacker
> gets a hold of the cookie in first place, which is not possible if
> - the cookie is transmitted over TLS
> - the cookie is marked as secure
> - the cookie is httpOnly
> Keeping this paragraph worded like this in the testing guide makes every
> web application that uses only cookies as a session store "insecure",
> even when there are no vulnerabilities that would allow a theft of the
> cookie. Using cookie-only session stores allows web application
> developers to write highly scalable apps, and should in my opinion not
> be ruled as insecure when they really are not.
> I would propose to specify this at the end of this paragraph, or to
> remove it entirely.
> I would also propose to remove the paragraph "Testing for server-side
> session termination"
> If there is no session on the server side, it can not be terminated.
> [1]https://www.owasp.org/index.php?title=Testing_for_logout_functionality_%28OTG-SESS-006%29&diff=182424&oldid=180243 <https://www.owasp.org/index.php?title=Testing_for_logout_functionality_%28OTG-SESS-006%29&diff=182424&oldid=180243>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org <mailto:Owasp-testing at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-testing <https://lists.owasp.org/mailman/listinfo/owasp-testing>


The things you’ve listed are all valid improvements on the threat vector(s). However, I would recommend to treat them as mitigations to reduce the risks and not as guarantees to remove the attack vector(s). Did you by any chance use something like OWASP Cornucopia to show the need for the safeguards you’ve listed?

I’ve worked on websites that persist the sessions in cookies, rather than server-side, and this should always be treated as something that comes with risks that need to be assessed and accepted/rejected. Attack vectors/vulnerabilities should be treated separately from the acceptance of the risks they entail. So, a company might assess the risks as “acceptable" and continue with solutions that don’t provide a “server-side session termination”. However, having it in the testing guidelines is valid since it requires the company to make a conscious decision about the risk rather than not know about the vulnerability.

It can be dangerous (depending on your security requirements) to rely too heavily on TLS since there’s no clear understanding of how often it fails and there have been several zero-day vulnerabilities over the last couple of years.

Hope that all makes some sense.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20151214/30ff20ab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2422 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20151214/30ff20ab/attachment.bin>

More information about the Owasp-testing mailing list