Difference between revisions of "Testing for Session Management"

From OWASP
Jump to: navigation, search
(4.5 Session Management Testing)
Line 1: Line 1:
[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]<br>
+
{{Template:OWASP Testing Guide v3}}
 
+
{{Template:OWASP Testing Guide v2}}
+
  
 
=== 4.5 Session Management Testing ===
 
=== 4.5 Session Management Testing ===
Line 12: Line 10:
 
Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.<br>
 
Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.<br>
  
[[ Analysis of the Session Management Schema AoC| 4.5.1 Analysis of the Session Management Schema]]<br>
+
[[Testing for Session_Management_Schema|4.7.1 Testing for Session Management Schema]]<br>
 
This paragraph describes how to analyse a Session Management Schema, with the goal to understand how the Session Management mechanism has been developed and if it is possible to break it<br>
 
This paragraph describes how to analyse a Session Management Schema, with the goal to understand how the Session Management mechanism has been developed and if it is possible to break it<br>
[[ Cookie and Session Token Manipulation AoC|4.5.2 Cookie and Session Token Manipulation]]<br>
+
[[Testing for Cookie and Session Token Manipulation|(new)4.7.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)]]<br>
 
Here it is explained how to test the security of session Token issued to the Client: how to make a cookie reverse engineering, and a cookie manipulation to force an hijacked session to work<br>
 
Here it is explained how to test the security of session Token issued to the Client: how to make a cookie reverse engineering, and a cookie manipulation to force an hijacked session to work<br>
[[ Exposed Session Variables AoC|4.5.3 Exposed Session Variables ]]<br>
+
 
 +
[[Testing for cookies attributes| (new: K.Horvath - 100%) 4.7.3 Testing for Cookies attributes]]
 +
 
 +
[[Testing for Session Fixation| (new: M.Meucci) 4.7.4. Testing for Session Fixation]]
 +
 
 +
[[Testing for Exposed Session Variables|4.7.5 Testing for Exposed Session Variables ]]<br>
 
Session Tokens represent confidential informations because they tie the user identity with his own session. It's possible to test if the session token is exposed to this vulnerability and  try to create a replay session attack.
 
Session Tokens represent confidential informations because they tie the user identity with his own session. It's possible to test if the session token is exposed to this vulnerability and  try to create a replay session attack.
 
<br>
 
<br>
[[ Testing for CSRF|4.5.4 Cross Site Request Forgery (CSRF) ]]<br>
+
[[Testing for CSRF|4.7.6 Testing for CSRF]]<br>
 
CSRF describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated.<br>
 
CSRF describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated.<br>
[[ HTTP Exploit AoC|4.5.5 HTTP Exploit ]]<br>
+
[[Testing for HTTP Exploit|4.7.7 Testing for HTTP Exploit ]]<br>
 
Here is described how to test for an HTTP Exploit.<br><br>
 
Here is described how to test for an HTTP Exploit.<br><br>
 
 
{{Category:OWASP Testing Project AoC}}
 

Revision as of 08:40, 14 August 2008

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Contents


4.5 Session Management Testing


At the core of any web-based application is the way in which it maintains state and thereby controls user-interaction with the site. Session Management broadly covers all controls on a user from authentication to leaving the application. HTTP is a stateless protocol, meaning web servers respond to client requests without linking them to each other. Even simple application logic requires a user's multiple requests to be associated with each other across a "session”. This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations. Most popular web application environments, such as ASP and PHP, provide developers with built in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.
There are a number of ways a web application may interact with a user. Each is dependent upon the nature of the site, the security and availability requirements of the application. Whilst there are accepted best practices for application development, such as those outlined in the OWASP Guide to Building Secure Web Applications, it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items.

4.7.1 Testing for Session Management Schema
This paragraph describes how to analyse a Session Management Schema, with the goal to understand how the Session Management mechanism has been developed and if it is possible to break it
(new)4.7.2 Test the token strength (old 4.5.2 Testing for Cookie and Session Token Manipulation)
Here it is explained how to test the security of session Token issued to the Client: how to make a cookie reverse engineering, and a cookie manipulation to force an hijacked session to work

(new: K.Horvath - 100%) 4.7.3 Testing for Cookies attributes

(new: M.Meucci) 4.7.4. Testing for Session Fixation

4.7.5 Testing for Exposed Session Variables
Session Tokens represent confidential informations because they tie the user identity with his own session. It's possible to test if the session token is exposed to this vulnerability and try to create a replay session attack.
4.7.6 Testing for CSRF
CSRF describes a way to force an unknowing user to execute unwanted actions on a web application in which he is currently authenticated.
4.7.7 Testing for HTTP Exploit
Here is described how to test for an HTTP Exploit.