In order to perform an Authentication Website Scan with the Cookies or Headers methods, you will need to obtain the Session Cookie.
First, you have to manually authenticate in the target web application using your web browser. Secondly, you need to get the session cookie string from the browser.
For example, using Google Chrome, you’ll have to perform the following actions:
- Enter Developer Tools – by Menu > More tools > Developer Tools (or Ctrl + Shift + I)
- Enter the ‘Network’ Tab
- Refresh page (or Ctrl + R)
- Click on the ‘Name’ section, choose a URL that displays an additional ‘Cookies’ tab.
- Go to the ‘Headers’ Tab (for that URL)
- Scroll to Request Headers and see the Cookie header
- Copy the string from the Cookie header and insert it as in the example below:
PHPSESSID=a765feb13b4112f3d12f3dfa12e;_aa_id=ad4b654ad48f4d545a64d75ea’ (a list with name=value separated by “;” and no spaces)
Here is the Developer Tools interface: