In order to perform an authenticated scan with the Cookies or Headers methods, you will need to obtain the session cookie.
First, you have to manually authenticate in the target web application using your web browser. Secondly, you need to get the session cookie string from the browser.
For example, using Google Chrome, you’ll have to perform the following actions:
- Enter Developer Tools – by Menu > More tools > Developer Tools (or Ctrl + Shift + I)
- Enter the ‘Network’ Tab
- Refresh page (or Ctrl + R)
- Click on the ‘Name’ section, and choose a URL that displays an additional ‘Cookies’ tab.
- Go to the ‘Headers’ Tab (for that URL)
- Scroll to Request Headers and see the Cookie header
- Copy the string from the Cookie header and insert it as in the example below:
PHPSESSID=a765feb13b4112f3d12f3dfa12e;_aa_id=ad4b654ad48f4d545a64d75ea’ (a list with name=value separated by “; ”)
Example Developer Tools interface: