Using Firefox: I am authenticated with valid credentials with ZAP proxy I capture the 302 response code and a valid cookie.
Using Chrome: I am providing wrong credentials and replace the response with the captured 302 response containing the valid captured cookie. I'm now able to login to the application.
Is this finding a False Positive case or not?
If not then what will be the mitigation to resolve this issue.
Mitigation Suggested:
Multiple user logins in multiple browsers and multiple machines should be validated. If matched, invalidate the existing cookie and make the user authenticate again.
I am a penetration tester and doesn't have the application code.
User should not be authenticated to the application without providing valid credentials.
Keep in mind, that if you steal session cookie - it's like you have stolen valid credentials. the fact that you given wrong credentials earlier doesn't care - as long as you have valid session cookie it's the same as if you had valid key to door - you'r allowed to enter.
is it ok? It depends. First, it depends on session cookie. If it has flags HttpOnly, and secure flag, and whole communication is send via ssl (https) we may assume that this cookie is kind of safe, because in theory - it could be accessed only on server and sending device, only via browser. The only case it could be stolen (in theory) is as you did - someone has access to logged in device and steal it. It's matter of anty-virus software, user etc to secure this PC, not a tested system to prevent such stealing.
on the other hand - if system stores some crucial data it should validate user not only by cookie. It should also check if request was send from the same browser as the one associated with cookie, with the same ip etc. Keep in mind that those data still can be tampered.
session cookies are like a key to a door - if someone got yours, he could enter building. Problem here is not with the fact that a valid key allows anyone using it to enter, but the fact what this key allows to open. It depends on what he enters. If the key allows entrance to bike lockers or toilet - nah, it's secured enough - as long as you don't allow anyone to have your key (or steal cookie) its good. But if this key allows user to enter a bank vault - it's a big security issue, because entering vault should not only rely on having valid keys, but also on some other kind of person verification such as fingerprint or eye scanner.
so without knowing the context of an app it's hard to answer you'r question. I hope i explained it to you properly