Application Security Testing Software such as OWASP Zap can be intimidating at first. It can take a while to learn it. But in this series of posts I hope to help you along with the process. Once you open Zap you already have a session without even knowing it. So lets get into OWASP Zap and working with Sessions.
I have prepared a video for this content just in case!
Sessions in Zap
Once you open Zap you have already entered a new session. But what are they?
What is a Session
When you use are using Zap regularly, the below screen becomes very familiar. It pops up every time Zap is started.
A session in Zap is basically everything you do from when you open the program until you close it again. You can choose to save the data (Persist) or not.
Types of Sessions
There are basically two ways of dealing with Sessions either you save it and are persistent or you don’t. To Persist a Session, means that it is automatically saved to your disk. Into files and into a database. So you never have to save again during your session as Zap will automatically do it for you. This allows you to recover a previous Session and keep all the data you gathered.
So why not just enable Persistent sessions all the time? There are few reasons.
- Persistent sessions can take up a lot of storage.
- In my experience, Persistent sessions can slow down your system if they are too big.
- Typically you don’t need to Persist sessions and you can get all of what you need in a Session without saving it.
Tip: To save storage and system resouces, you should only use Persistent sessions if you really need them.
Enabling Persist Sessions
You can enable Persist Sessions from the start up screen in Zap.
If you have already started a sessions and need to save it you can do so from the “File” – “Persist Session” menu.
Tip: If you start the “Persist Session” at the beginning it works much faster and has less of an impact on the system.
However if you clicked on the “Remember my Choice and do not ask me Again” option. Then this screen will not show on start up of Zap.
You can get it back by going into the Menu Item “Tools” – “Options”
Proceed to open the database Section.
Make sure the “Prompt for persistence options on new session” button is ticked. Then the menu will appear again on Zap start up.
If you are running a Persist Session then you can take a snapshot of that session whenever you like. Consider it a point in time copy of the Persist Session that wont change after you take it, but the original Session will continue to save. This can only be done on a running Persist Sessions. Go to “File” – “Snapshot Session As”
This typically takes a Snapshot of the running session and uses the same name but with the date and time of the snapshot appended.
Sessions are very configurable and have many options. Mostly what to include or exclude from the running Session. The property page for the current Session is found in the “File” menu, or by pressing CTRL+ALT+P
There are a number of Options in the Session Properties dialogue box.
- General: You can set the name of the Session in here.
- Exclude from Proxy: Using Regular expressions, this is a list of URLs that are the Proxy will not process.
- Exclude from Scanner: Using Regular expressions, this is a list of URLs that are the Active Scanner will not process.
- Exclude from Spider: Using Regular expressions, this is a list of URLs that are the Spider will not process.
- Contexts: These are how urls for the web application in scope are managed. This is a large topic and deserves it’s own page.
- Exclude from WebSockets: Using Regular expressions, this is a list of URLs that are the Websocker window will not process.
I hope you find this post of value and that you learned something about OWASP Zap and working within Sessions. You can post a comment below or look me up on twitter.
You can find more information on Session Management over on the zaproxy webpage.