I need some clarification on testing of session management vulnerabilities in web apps. My team downloaded the BDD-Security framework from github(http://ift.tt/2oRwPnC) and is customizing it for our in-house Enterprise Web Apps.
I was asked to write automated scripts for checking session management vulnerabilities in the app. Most of the session management scenarios described in OWASP testing guide(http://ift.tt/1sBjKoQ) requires me to get hold of the Cookies. I contacted a developer of my web app who said that all our cookies are non persistent cookies. Using Selenium getcookies, I am not able to get hold of the cookies. A null value is always returned by getcookies method
Our app authentication works on Enterprise SSO and I see some cookies/sessions created when I press F12 in Firefox and observe the Cookies tab.
Can't I test non persistent cookies using Selenium? I understand persistent are the ones that are stored in client disk and non persistent are the ones which reside in browser memory and are destroyed when the browser is closed or session ends. Any help in this regard is higly appreciated.
Regards Srinivas
Aucun commentaire:
Enregistrer un commentaire