Secure flag is showing set but we are still getting "cookie without secure flag" in zap report
230 views
Skip to first unread message
Amit Kumar
Jun 20, 2018, 7:40:21 AM6/20/18
to OWASP ZAP User Group
HI All,
while checking manually in browser Cookies are set as secure.
If i will running owasp ZAP on the same url .In ZAP html report it gives error that "cookie without secure flag".
Please help me to understand it.
Thanks
Amit
thc...@gmail.com
Jun 20, 2018, 7:47:24 AM6/20/18
to zaprox...@googlegroups.com
Hi.
Is the secure flag present in the Set-Cookie header of that message?
Best regards.
Is the secure flag present in the Set-Cookie header of that message?
Best regards.
Amit Kumar
Jun 20, 2018, 8:02:17 AM6/20/18
to OWASP ZAP User Group
please check this Screenshot.
Amit Kumar
Jun 21, 2018, 12:59:02 AM6/21/18
to OWASP ZAP User Group
Hey,
Yes, secure flag is present in the Set-Cookie header.
Please give ans if you have any suggestion about it.
On Wednesday, June 20, 2018 at 5:17:24 PM UTC+5:30, thc202 wrote:
thc...@gmail.com
Jun 21, 2018, 3:27:29 AM6/21/18
to zaprox...@googlegroups.com
Hi.
Could you check in ZAP instead? Specifically the message that's
associated with the alert? (That's what ZAP used to raise the alert.)
Best regards.
Could you check in ZAP instead? Specifically the message that's
associated with the alert? (That's what ZAP used to raise the alert.)
Best regards.
Amit Kumar
Jun 21, 2018, 9:32:35 AM6/21/18
to zaprox...@googlegroups.com
hi,
i have checked in zap ,please refer the attached image.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/WCLFZJe9A0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/df581f5a-ab1a-287a-860e-1ce4258c474d%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Thanks and Regards,
Amit Kumar
906000306
thc...@gmail.com
Jun 22, 2018, 7:17:42 AM6/22/18
to zaprox...@googlegroups.com
Hi.
Could you check the whole Set-Cookie header in the Response tab?
Best regards.
On 21/06/18 14:32, Amit Kumar wrote:
> hi,
>
> i have checked in zap ,please refer the attached image.
>
>
>> zaproxy-user...@googlegroups.com.
Could you check the whole Set-Cookie header in the Response tab?
Best regards.
On 21/06/18 14:32, Amit Kumar wrote:
> hi,
>
> i have checked in zap ,please refer the attached image.
>
>
Amit Kumar
Jun 26, 2018, 1:05:15 PM6/26/18
to OWASP ZAP User Group
please check.
kingthorin+owaspzap
Jun 26, 2018, 3:48:25 PM6/26/18
to OWASP ZAP User Group
Can you confirm, you selected the alert (not something in the Sites Tree or History) and then the response tab?
I'm totally unable to recreate the issue you're having.
Amit Kumar
Jun 27, 2018, 7:59:07 AM6/27/18
to zaprox...@googlegroups.com
Yes.. i was selected the alert.
On Wed, Jun 27, 2018 at 1:18 AM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
Can you confirm, you selected the alert (not something in the Sites Tree or History) and then the response tab?I'm totally unable to recreate the issue you're having.
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/WCLFZJe9A0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4fee8c0d-7da4-454f-a8fc-fa3868b24102%40googlegroups.com.
thc...@gmail.com
Jun 27, 2018, 8:04:21 AM6/27/18
to zaprox...@googlegroups.com
Which versions of ZAP and passive scanner rules add-on did you use?
Best regards
Best regards
Amit Kumar
Jun 27, 2018, 8:40:42 AM6/27/18
to zaprox...@googlegroups.com
zap version is 2.6.0
Passive scanner rules-2.4.0
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/WCLFZJe9A0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/15303275-5991-a8bb-458f-a59882eeb0f4%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
kingthorin+owaspzap
Jun 27, 2018, 4:59:03 PM6/27/18
to OWASP ZAP User Group
1) You should upgrade to 2.7.0
2) 2.4.0 doesn’t make sense. https://github.com/zaproxy/zaproxy/wiki/FAQAddonVersions
2) 2.4.0 doesn’t make sense. https://github.com/zaproxy/zaproxy/wiki/FAQAddonVersions
Amit Kumar
Jun 28, 2018, 1:22:52 AM6/28/18
to zaprox...@googlegroups.com
sorry,
Passive scanner rules version ->20
On Thu, Jun 28, 2018 at 2:29 AM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
1) You should upgrade to 2.7.0
2) 2.4.0 doesn’t make sense. https://github.com/zaproxy/zaproxy/wiki/FAQAddonVersions
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/WCLFZJe9A0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/c7467eec-0aa5-4c87-92aa-3962266443c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
kingthorin+owaspzap
Jun 28, 2018, 5:17:57 AM6/28/18
to OWASP ZAP User Group
You need to upgrade both components.
Amit Kumar
Jun 28, 2018, 6:40:50 AM6/28/18
to OWASP ZAP User Group
hi
i have upgraded both components version o f zap is 2.7.0 and passive scan rule is 22.
but if i put active scan on any url, it is showing 100% complete within 1 sec.(now not able to scan)
kingthorin+owaspzap
Jun 28, 2018, 1:34:58 PM6/28/18
to OWASP ZAP User Group
That's completely separate from your original issue. Passive scanning and active scanning are seperate.
After spidering/browsing the same content has your cookie issue been resolved?
Amit Kumar
Jun 29, 2018, 5:44:28 AM6/29/18
to zaprox...@googlegroups.com
HI,
That's the different issue i will resolved that.
My main issue is when i am selecting the particular URL from History then response tab Secure Flag is present.
But when i am selecting Alert then Response tab Secure flag is not present.
But when i am selecting Alert then Response tab Secure flag is not present.
On Thu, Jun 28, 2018 at 11:04 PM, kingthorin+owaspzap <kingt...@gmail.com> wrote:
That's completely separate from your original issue. Passive scanning and active scanning are seperate.
After spidering/browsing the same content has your cookie issue been resolved?
--
You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/WCLFZJe9A0A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/4d2a7b09-3806-4204-b9c5-5d735e638c4c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
kingthorin+owaspzap
Jun 29, 2018, 8:42:27 AM6/29/18
to OWASP ZAP User Group
Cool so now you know that ZAP is indeed encountering the cookie as described. You just have to unwind the difference in the requests and address why your app/server is handling the two requests differently.
Reply all
Reply to author
Forward
0 new messages