Title :
A vulnerability scanning tool for session management vulnerabilities
Author :
Lukanta, Raymond ; Asnar, Yudistira ; Kistijantoro, A. Imam
Author_Institution :
Sch. of Electr. Eng. & Inf., Inst. Teknol. Bandung, Bandung, Indonesia
Abstract :
Session management vulnerabilities can be categorized as a group of vulnerability that is still often discovered. Session management vulnerabilities consist of session fixation, CSRF, and insufficient cookies attributes. Based on OWASP Top 10 2013, issues on session management are ranked on 2nd place, while CSRF on 8th. To detect session management vulnerabilities, we developed a vulnerability scanning tool extending an existing open source tool, namely Nikto. To validate our tool, we have performed two types of testing, which are a functional and a field testing. In functional testing, we created some synthetic test cases to prove all the functionalities can function well. In the field testing, we used some existing projects and we can conclude that Nikto failed to execute some test cases and also found some false negative. The false negative is caused by the error in detecting random token performed by CSRF detector.
Keywords :
program testing; search engines; CSRF detector; Nikto; OWASP; cross-site request forgery; false negative; field testing; functional testing; insufficient cookies attributes; open source tool; random token detection; session fixation; session management vulnerabilities; synthetic test cases; vulnerability scanning tool; Authentication; Browsers; Detectors; Facebook; Software; Testing; Uniform resource locators; Google Chrome extension; Nikto; black box testing; session management vulnerabilities; vulnerability scanning;
Conference_Titel :
Data and Software Engineering (ICODSE), 2014 International Conference on
Print_ISBN :
978-1-4799-8175-5
DOI :
10.1109/ICODSE.2014.7062682
