[OWASP-Security101] Don't understand OWASP 2010 A3 redirect after login

Tom Mackenzie tom.mackenzie at owasp.org
Mon Aug 20 10:37:27 UTC 2012


It is more of a physical issue. If someone gets access to the machine and
it doesn't use a 302 redirect on the application the credentials will be
re-POST when using the back and refresh buttons. Put an intercepting proxy
in between and you then see the issue.


On Fri, Aug 17, 2012 at 10:15 PM, Uncle Bob <testme47 at gmail.com> wrote:

> I got a report from a customer running an OWASP test against my
> hand-written web app that it doesn't issue a 302 redirect after
> successful login.  The customer sent me the description of this
> problem included in whatever report he got, but I don't understand it.
>  I tried putting in a 302 redirect after successful login, but I don't
> see that it protects anything; for example, I thought that it might
> prevent someone from logging in without knowing the username and
> password by using "back" and "refresh" buttons in firefox after
> logging out, but it does not protect against that.
> Can someone explain this vulnerability better, tutorial style or with
> a good example, so I can understand and determine whether my change to
> the webapp login really protects against something that needs to be
> protected against?  I'm not finding a good explanation on owasp.org
> (if it's there, maybe all I need is for somebody to point me to the
> right page).
> Thanks,
> Uncle Bob
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org

More information about the Security101 mailing list