how to Test for Cookies attributes in owasp zap

1,638 views
Skip to first unread message

fariba.h...@gmail.com

unread,
Mar 4, 2019, 2:29:33 PM3/4/19
to OWASP ZAP User Group
Hi
I want test for cookies attributes in owasp zap but i can not do it
 please help me step by step

kingthorin+owaspzap

unread,
Mar 4, 2019, 3:25:06 PM3/4/19
to OWASP ZAP User Group
> but i can not do it

Maybe you could be more specific?

Cookie attributes are covered by passive scan rules, if you either proxied traffic for your app or ran a spider against it then it was probably checked for cookie attribute issues.
As part of the release quality passive scanners (that come with ZAP):

Beta (available via the marketplace):

Alpha (available via the marketplace):

Marketplace:










fariba.h...@gmail.com

unread,
Mar 4, 2019, 3:57:39 PM3/4/19
to OWASP ZAP User Group
i run the spider on url 
cookies in params tab?
please see the picture


1.jpg

kingthorin+owaspzap

unread,
Mar 4, 2019, 4:38:58 PM3/4/19
to OWASP ZAP User Group
Ok, and?

fariba.h...@gmail.com

unread,
Mar 4, 2019, 11:29:27 PM3/4/19
to OWASP ZAP User Group
how to undrestand where is the problem? (According to the picture)
what is it flag column?
i can not analyze that please help me?

hauschu...@gmail.com

unread,
Mar 5, 2019, 2:31:09 AM3/5/19
to OWASP ZAP User Group
Problems will be shown in the alerts tab on the far left. Unless you have specific requirements you are testing or expecting to see in those cookies, in which case you can look at those top two cookie lines and manually inspect the content. 

For instance, a cookie that contains a base64 encoded password would be a problem, or a cookie with sessionid and and no 'httponly' flag set, or admin=yes, or any number of things. 

The flag column just lists flags set on the cookie, which are little values in the cookie that determine how it behaves or is accessed in relation to the client (browser). 

You can analyze, as long as you know what you are expecting! By comparison, I recommend going into your favorite browser dev tools and looking at the cookies there as well....it is the same information just displayed differently, but usually there is not a lot to 'analyze' since they are just tiny text files. 

What problem are you looking for? 

fariba hosseini25

unread,
Mar 5, 2019, 1:15:21 PM3/5/19
to zaprox...@googlegroups.com
thank you

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/63ddefec-ca04-4d0e-aa45-fde2eb52b6e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

fariba.h...@gmail.com

unread,
Mar 6, 2019, 2:19:47 AM3/6/19
to OWASP ZAP User Group
hello
I want Testing for Weak lock out mechanism  but i dont no what tool to test that?
 please help me

hauschu...@gmail.com

unread,
Mar 6, 2019, 2:35:43 AM3/6/19
to OWASP ZAP User Group
Is this still cookie related?

If not, I would recommend starting a new thread so they don't get mixed up!

But based on your question and cookies, this looks like what you are looking for:




But if you want some general ideas/rules on lock-out testing, this is a good place to start:




This might be relevant to some of the bigger picture you are dealing with:

fariba hosseini25

unread,
Mar 6, 2019, 3:14:55 AM3/6/19
to zaprox...@googlegroups.com
no it is a seperate question


--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/e73e83a2-7a6a-4913-a6d0-f8530da803e7%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages