Is it possible to automatically test the session management with ZAP ?
This should be possible, because ZAP is referenced as a tool for testing session management in the OWASP Testing Guide :
Tools
OWASP Zed Attack Proxy Project (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - features a session token analysis mechanism.
But I can't find any documentation how to test session managment.
Note: There's a lot of documentation regarding how to add authentication to ZAP but not how to test it.
There are several features included in ZAP related to testing session management.
You need the following AddOns ( https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsManageaddons )
These AddOns provide the following functionality...
AddOn Active Scanners
AddOn Passive Scanners
Addon Token generation and analysis
Allows you to generate and analyze pseudo random tokens, such as those used for session handling or CSRF protection
Addon ViewState
ASP/JSF ViewState Decoder and Editor
MainMenuBar > Tools > Encode/Decode/Hash...
Could help to identify meaningful Tokens
The following Plugins are more related to authentication/authorization than session management but...
AddOn SAML Extension
Detect, Show, Edit, Fuzz SAML requests
AddOn Access Control Testing
Adds a set of tools for testing access control in web applications
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.