Any guidance on how can I test Session hihajacking, Session Fixation test cases on ZAP?
255 views
Skip to first unread message
Salman Khwaja
Aug 11, 2017, 7:27:37 AM8/11/17
to OWASP ZAP User Group
Any guidance on how can I test Session hijacking, Session Fixation test cases on ZAP with two users ?
kingthorin+owaspzap
Aug 11, 2017, 8:35:46 AM8/11/17
to OWASP ZAP User Group
Get Active Scan Rules (Beta) from the Marketplace:
https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta#session-fixation
Include the "Session Fixation" active scanner in your scan policy.
kingthorin+owaspzap
Aug 11, 2017, 8:38:50 AM8/11/17
to OWASP ZAP User Group
Also in your Passive Scan rules make sure you've enabled: Session ID In URL Rewrite
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#session-id-in-url-rewrite
Lastly, the OWASP Testing Guide provides guidance on manual testing as well:
https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)
https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008)
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsPscanrulesPscanrules#session-id-in-url-rewrite
Lastly, the OWASP Testing Guide provides guidance on manual testing as well:
https://www.owasp.org/index.php/Testing_for_Session_Fixation_(OTG-SESS-003)
https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008)
Reply all
Reply to author
Forward
0 new messages