Skip to content

OWASP Zap Working with Sessions

Ā Application Security Testing Software such as OWASP Zap can be intimidating at first. It can take a while to learn it. But in this series of posts I hope to help you along with the process. Once you open Zap you already have a session without even knowing it. So lets get into OWASP Zap and working with Sessions.

I have prepared a video for this content just in case!


Sessions in Zap

Once you open Zap you have already entered a new session. But what are they?

What is a Session

When you use are using Zap regularly, the below screen becomes very familiar. It pops up every time Zap is started.

OWASP Zap start page.

A session in Zap is basically everything you do from when you open the program until you close it again. You can choose to save the data (Persist) or not.

Types of Sessions

There are basically two ways of dealing with Sessions either you save it and are persistent or you don’t. To Persist a Session, means that it is automatically saved to your disk. Into files and into a database. So you never have to save again during your session as Zap will automatically do it for you. This allows you to recover a previous Session and keep all the data you gathered.

So why not just enable Persistent sessions all the time? There are few reasons.

  • Persistent sessions can take up a lot of storage.
  • In my experience, Persistent sessions can slow down your system if they are too big.
  • Typically you don’t need to Persist sessions and you can get all of what you need in a Session without saving it.

Tip: To save storage and system resouces, you should only use Persistent sessions if you really need them.

Enabling Persist Sessions

You can enable Persist Sessions from the start up screen in Zap.

Enable Sessions

If you have already started a sessions and need to save it you can do so from the “File” – “Persist Session” menu.

Make a Persist Session

Tip: If you start the “Persist Session” at the beginning it works much faster and has less of an impact on the system.

However if you clicked on the “Remember my Choice and do not ask me Again” option. Then this screen will not show on start up of Zap.

You can get it back by going into the Menu Item “Tools” – “Options”

Options Page

Proceed to open the database Section.

Database Options

Make sure the “Prompt for persistence options on new session” button is ticked. Then the menu will appear again on Zap start up.

Session Snapshots

If you are running a Persist Session then you can take a snapshot of that session whenever you like. Consider it a point in time copy of the Persist Session that wont change after you take it, but the original Session will continue to save. This can only be done on a running Persist Sessions. Go to “File” – “Snapshot Session As”

Snapshot Session

This typically takes a Snapshot of the running session and uses the same name but with the date and time of the snapshot appended.

Session Properties

Sessions are very configurable and have many options. Mostly what to include or exclude from the running Session. The property page for the current Session is found in the “File” menu, or by pressing CTRL+ALT+P

Session Properties

There are a number of Options in the Session Properties dialogue box.

  • General: You can set the name of the Session in here.
  • Exclude from Proxy: Using Regular expressions, this is a list of URLs that are the Proxy will not process.
  • Exclude from Scanner: Using Regular expressions, this is a list of URLs that are the Active Scanner will not process.
  • Exclude from Spider: Using Regular expressions, this is a list of URLs that are the Spider will not process.
  • Contexts: These are how urls for the web application in scope are managed. This is a large topic and deserves it’s own page.
  • Exclude from WebSockets: Using Regular expressions, this is a list of URLs that are the Websocker window will not process.

Wrap Up

I hope you find this post of value and that you learned something about OWASP Zap and working within Sessions. You can post a comment below or look me up on twitter.

You can find more information on Session Management over on the zaproxy webpage.


Published inIT & SecurityLinux