Session Management Identification

This add-on includes a passive scan rule which attempts to identify session management methods.
It identifies session management methods by the presence of commonly used session management identifiers and any values specified in Authorization request headers.

The rule will not attempt to identify very unusual session management methods - automation is one of the end goals so false negatives (missing unusual session management methods) are more desirable than false positives (incorrectly identifying a session management method).

If this rule identifies a session management method that is part of the context that you have set to use the Auto-Detect Session Management Method then this rule will update the context to use the session management method identified.

If a session management method is not identified then check to make sure it is made to a site which is included in the context.
If it is not then add the site to the context and authenticate again via your browser.

The ‘Other Info’ field is used to report the set of Header Based Session Management tokens that need to be specified.

The rule will currently identify:

  • Header-based session management methods

If this rule fails to identify one of the above method then you can raise an issue with the complete request and response details (having obfuscated any sensitive information) and we will investigate it.

Latest code: SessionDetectionScanRule.java