ZAP – Cookie Slack Detector

Details
Alert ID	90027
Alert Type	Active
Status	beta
Risk	Informational
CWE	205
WASC	45
Technologies Targeted	All
Tags	CWE-205 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-SESS-02
More Info	Scan Rule Help

Summary

Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.

Solution

Other Info

Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced. These cookies affected the response: oops These cookies did NOT affect the response: bar,foo

References

https://cwe.mitre.org/data/definitions/205.html

Code

org/zaproxy/zap/extension/ascanrulesBeta/SlackerCookieScanRule.java