0

I have an issue in ZAP scripts.

I tried to create a login script using Zest. Most of the requests work except two of them. I found something was fishy when re-sending the request worked as expected (status code is 200) so i proxy chained Zap and saw that on the script request, there is multiple cookie header.

Original : 

Cookie: cookie_1
Cookie: cookie_2
Cookie: cookie_3
[...]
Cookie: cookie_n

Resent:

Cookie: cookie_1;cookie_2;cookie_3;[...];cookie_n

The first request doesn't comply with RFC 6265

5.4. The Cookie Header

The user agent includes stored cookies in the Cookie HTTP request header.

When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.

In my case, the server enforce this and only the first cookie is parsed.

So, my question, is there a way in ZAP to fold cookies into a single one when the cookie are added by zap during a zest script?

sabatmonk
  • 180
  • 1
  • 8

1 Answers1

-1

Theres an option for this: Options > Connection > Single Cookie Request Header

Try unsetting that and let me know if that solves your problem.

Simon Bennetts
  • 4,070
  • 1
  • 11
  • 20
  • It was set, i unchecked, tried, re-checked then tried again. Doesn't change it. The setting seems to work on resend (request editor) as it fold the cookies before sending. But seems ignored on zest replay. – sabatmonk Jan 16 '18 at 11:03
  • Are the cookies are already present in the request(s) or are they obtained while the script is executed? – Simon Bennetts Jan 16 '18 at 11:32
  • During execution – sabatmonk Jan 16 '18 at 11:57
  • more precisely, the first 3 requests are a bunch of redirection and the 4th get a bunch of set cookie. The 5th is the first one failing, with like 15 "Cookie: somethings " individually. – sabatmonk Jan 17 '18 at 08:36
  • Btw, if this can help, i tried to hack my way out with httpsender script, and it look like it works with httpcookie (from java). Those quite explicitly don't target rfc 6265 (source https://docs.oracle.com/javase/7/docs/api/java/net/HttpCookie.html#HttpCookie(java.lang.String,%20java.lang.String) ) – sabatmonk Jan 17 '18 at 10:55
  • Can you try using the zap.jar here: https://github.com/thc202/zaproxy/releases/tag/issue-cookies-zest-2 This forces the cookies to be on just one line – Simon Bennetts Jan 18 '18 at 15:55
  • i might do something wrong (will check my settings and such) but it look like it strip all cookies now, even for the proxy... Do you want me to move this discussion on to an issue in github, i can remove sensitive info and attach requests if it would help. – sabatmonk Jan 19 '18 at 08:33
  • Theres this thread on the User Group: https://groups.google.com/d/msg/zaproxy-users/3c_NeCQz1dQ/U30FW-HQAAAJ but feel free to raise an issue as well if you like – Simon Bennetts Jan 19 '18 at 09:49
  • Is this issue resolved or any workaround present? I tried with above settings, even created Http Sender and WebSocket scripts but nothing works. When I try to resend an existing request, The Request Headers do get modified after the response is received but are duplicated 3 times as there are 3 Requests that Authenticates. Is there an easy way of doing this. I am using OWASP ZAP Proxy version 2.7.0 – Devesh Dec 18 '18 at 11:45