Why Active Scan change Cookie value?

20 views
Skip to first unread message

falconws

unread,
Jun 21, 2021, 11:08:58 PM6/21/21
to OWASP ZAP User Group
Hi.
I think this behavior is bug.

1. Open History Tab
2. Confirm Cookie value (ex CAKEPHP=xxxxxxxxx)
3. Right click request -> Attack -> Active Scan...
4. Click Custom Vectors
5. Confirm Cookie value (CAKEPHP=yyyyyyyy)

Why Active Scan changing Cookie value before starting scan?
This behavior is caused invalid session and can't scanning correctly.

Even if I added ignore parameter (Name: CAKEPHP, Where: Cookie, URL: *) from Input Vectors tab, this is occurred.

Thanks.

falconws

unread,
Jul 5, 2021, 9:45:17 PM7/5/21
to OWASP ZAP User Group
Does anyone help?

> Confirm Cookie value (CAKEPHP=yyyyyyyy)

I'm confirmed step 5's session cookie value is previous old value.
This behavior is occurred Active Scan only (Manual Request Editor doesn't occurred).

Workaround: create new ZAP session and Do step from 1 to 5.
But this workaround is dispersed ZAP session file.

Is there any good way?

Thanks.
Reply all
Reply to author
Forward
0 new messages