Details
Alert ID 90027
Alert Type Active
Status beta
Risk Informational
CWE 205
WASC 45
Technologies Targeted All
Tags CWE-205
OWASP_2017_A06
OWASP_2021_A05
POLICY_PENTEST
SYSTEMIC
WSTG-V42-SESS-02
More Info Scan Rule Help

Summary

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Solution

Other Info

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: oops These cookies did NOT affect the response: bar,foo

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java