OWASP ZAP. How to use a cookie for scanning a website?

security cookies zap
aDoN picture aDoN · Jul 17, 2015 · Viewed 10.6k times · Source

I don't know how to use a cookie on ZAP for scanning a website, what I do is right click on the domain Attack>Active Scan Subtree.

I have tried that after doing a request to the website with a valid cookie (I was logged), in case ZAP takes the last cookie, but apparently it doesn't, so the result is that I have scanned just the login, not the I could have accessed when logged.

Thank you very much.

Answer

aDoN picture aDoN · Jul 18, 2015

I found what I needed, a context, doesn't work providing a cookie (which I would like too) but with the login credentials

https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication#formBased

Related questions

What is the best way to implement "remember me" for a website?

I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. I know I will need to store a cookie on their computer to …

Read More
How do you configure HttpOnly cookies in tomcat / java webapps?

After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions?

Read More
What is the best way to prevent session hijacking?

Specifically this is regarding when using a client session cookie to identify a session on the server. Is the best answer to use SSL/HTTPS encryption for the entire web site, and you have the best guarantee that no man …

Read More