Sunday, February 19, 2012

OWASP Session Management Cheat Sheet (v2.0) & Podcast

On July 2011 the OWASP Session Management CheatSheet was released with the main goal of becoming a useful security reference for web application architects, developers, and security professionals. The document tries to summarize in a concise way all the best practices, recommendations, and countermeasures required to improve the security of today's session management implementations in web applications. The results on our web application penetration tests over the last few years, unfortunately, ratify that session management vulnerabilities are very common and widely prevalent in critical web applications still today.

Jim Manico gave me the opportunity to include this content in the famous OWASP CheatSheet series and talk about this topic. As a result, OWASP Podcast number 90, "Raul Siles", has been released (check the whole OWASP Podcast series). Thanks Jim!

Around October 2011 I slightly updated the official CheatSheet version in the OWASP Wiki, and last week, in sync with the podcast release, I've published a new version (v2.0). This updated downloadable version (in PDF format) includes the updates from October (check the Wiki and document changelog) plus a new feature I plan to expand in future versions of this document: It includes additional session management references to attacks, pen-testing and auditing techniques, tools, and demonstrations complementing the original security countermeasures and defensive recommendations. 
This new version, v2.0, includes the first 10 references/demos, including the OWASP Cookie Database Project, the BIG-­‐IP_cookie_decoder.py and TLSSLed tools, the OddJob session hijacking banking trojan, and more.

I encourage everybody involved in web applications security to review the OWASP Session Management CheatSheet, apply its contents to the currently available web applications and implementations, help spreading the word and contribute to it.

Image src: http://www.gabrielwoo.com/cookie-monster.jpg

No comments:

Post a Comment