ZAP – Session Management Response Identified

Details
Alert ID	10112
Alert Type	Passive
Status	beta
Risk	Informational
CWE
WASC
Technologies Targeted	All
Tags

Summary

The given response has been identified as containing a session management token. The ‘Other Info’ field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to “Auto-Detect” then this rule will change the session management to use the tokens identified.

Solution

This is an informational alert rather than a vulnerability and so there is nothing to fix.

Other Info

header:authorization

References

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/

Code

org/zaproxy/addon/authhelper/SessionDetectionScanRule.java