Trouble with rules.cookie.ignorelist in CLI
72 views
Skip to first unread message
MattMc
Mar 31, 2022, 11:47:30 AM3/31/22
to OWASP ZAP User Group
I'm trying to use rules.cookie.ignorelist in the CLI but am still seeing alerts in my reports for the cookies I'm setting to ignore.
Here's the command I'm using:
zap-cli start --start-options '-config api.disablekey=true -addonupdate database.recovery=false rules.cookie.ignorelist=BrowserId'
Yes I'm using zap-cli, not sure the status of how supported it is currently but the other config items I'm setting are working ok so I assume this should work.
Yes I'm using zap-cli, not sure the status of how supported it is currently but the other config items I'm setting are working ok so I assume this should work.
I've tried variations on the syntax for the cookie name on the rules.cookie.ignorelist flag but nothing seems to have an effect.
Here's an excerpt from a report:
### [ Cookie without SameSite Attribute ](https://www.zaproxy.org/docs/alerts/10054/)
...
* URL: https://<url>
* Method: `GET`
* Parameter: `BrowserId`
* Attack: ``
* Evidence: `Set-Cookie: BrowserId`
* Method: `GET`
* Parameter: `BrowserId`
* Attack: ``
* Evidence: `Set-Cookie: BrowserId`
And the Chrome console showing the cookie:
Any help is appreciated!
Matt
Matt
kingthorin+owaspzap
Mar 31, 2022, 4:46:32 PM3/31/22
to OWASP ZAP User Group
Hi Matt, checkout these docs they should help you get the specific details sorted out: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Simon Bennetts
Apr 1, 2022, 4:18:04 AM4/1/22
to OWASP ZAP User Group
FYI the zap-cli is a 3rd party tool and is not directly supported by the ZAP core team.
The automation options we support are listed on https://www.zaproxy.org/docs/automate/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages