|
<< Click to Display Table of Contents >> Navigation: Telegram > 2024 > 09 > 10 > Telegram_2024-09-10T19 |
2024-09-10T19:08:30
I mean that under Cookie Options unselecting everything results in that error.
My app is https only, do I need to keep httponly and secure = true regardless or just secure on its own. I know the example I posted is http but was only for a test.
I do not understand why on first scan all looks well but in same session running it again gives these errors? ZAP is confusing me, I have two computers with it on, getting different results on each using same compiled exe, must be some setting change somewhere but I cant find it.
2024-09-10T19:33:24
1) Secure means that the cookie will only be transmitted in HTTPS.
2) HttpOnly means that the cookie cannot be read/written from JavaScript.
(1) should always be used in production if your app is HTTPS only (no HTTP).
(2) should always be used unless you are manipulating cookies in JavaScript.
Both concur to the overall application security (and the lack of any of them will probably be caught in a standard penetration test)
2024-09-10T19:40:59
Thanks Alexandre, I will give it a test tomorrow as its late here but thanks for the info I really appreciate it.
Regarding ZAP, I am closing both webapp and zap between and then running fresh then doing 2 scans in one session.
2024-09-10T19:42:52
The problem when running a test with HTTP is that you will get some \false positives\ because you're not using HTTPS features (like the \Secure\ flag).
If you can, use the real thing when testing