Testing for Session Management Schema (OTG-SESS-001)

Brief Summary
..here: we describe in "natural language" what we want to test.

Description of the Issue
The session management schema should be considered alongside the authentication and authorisation schema, and cover at least the questions below from a non technical point of view: Will the application be accessed from shared systems? e.g. Internet Café Is application security of prime concern to the visiting client/customer? How many concurrent sessions may a user have? How long is the inactive timeout on the application? How long is the active timeout? Are sessions transferable from one source IP to another? Is ‘remember my username’ functionality provided? Is ‘automatic login’ functionality provided?

Having identified the schema in place, the application and its logic must be examined to confirm proper implementation of the schema. This phase of testing is intrinsically linked with general application security testing. Whilst the first Schema questions (is the schema suitable for the site and does the schema meet the application provider’s requirements?) can be analysed in abstract, the final question (Does the site implement the specified schema?) must be considered alongside other technical testing.

The identified schema should be analysed against best practice within the context of the site during our penetration test. Where the defined schema deviates from security best practice, the associated risks should be identified and described within the context of the environment. Security risks and issues should be detailed and quantified, but ultimately, the application provider must make decisions based on the security and usability of the application. For example, if it is determined that the site has been designed without inactive session timeouts the application provider should be advised about risks such as replay attacks, long-term attacks based on stolen or compromised Session IDs and abuse of a shared terminal where the application wasn’t logged out. They must then consider these against other requirements such as convenience of use for clients and disruption of the application by forced re-authentication.

Black Box testing and example
Testing for Topic X vulnerabilities: ... Result Expected: ...

Gray Box testing and example
Testing for Topic X vulnerabilities: ... Result Expected: ...