Testing Session Management with ZAP

Question

Is it possible to automatically test the session management with ZAP ?

This should be possible, because ZAP is referenced as a tool for testing session management in the OWASP Testing Guide :

Tools

OWASP Zed Attack Proxy Project (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - features a session token analysis mechanism.

But I can't find any documentation how to test session managment.

Note: There's a lot of documentation regarding how to add authentication to ZAP but not how to test it.

Answer 1

There are several features included in ZAP related to testing session management.

You need the following AddOns ( https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons )

• Addon Active Scanner Rules (beta)
• Addon Passive scanner rules (alpha)
• Addon Passive scanner rules (beta)
• Addon Passive scanner rules (release)
• Addon Token generation and analysis
• Addon ViewState

These AddOns provide the following functionality...

AddOn Active Scanners

• Session Fixation
• Cookie Slack Detector (Reveal areas where session cookies are not actually enforced)

AddOn Passive Scanners

• Insecure JSF ViewState
• Viewstate Scanner
• Weak Authentication Method
• Cookie no httpOnly flag
• cookie without secure flag
• session id in url rewrite

Addon Token generation and analysis

Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection

Addon ViewState

ASP/JSF ViewState Decoder and Editor

MainMenuBar > Tools > Encode/Decode/Hash...

Could help to identify meaningful Tokens

---

The following Plugins are more related to authentication/authorization than session management but...

AddOn SAML Extension

Detect, Show, Edit, Fuzz SAML requests

AddOn Access Control Testing

Adds a set of tools for testing access control in web applications