Hi, is it possible to capture a session cookie and use it to scan a web app that uses dynamic virtual keyboards ?
If so, please share the procedure.
Sure. Log into the application as you would normally. Use something like Firebug or your browsers web console to grab the session cookie and simply insert the valid session cookie into the Header Injection setting.
Cookie: ASP.NET_SessionId=yw13b045nq1zluvxp4vi4o55; .ASPXFORMSAU
JSESSIONID=YW13B045NQ1ZLUVXP4VI4O55.nodexx; path=/; domain=foo.bar.com
The are definitely some limitations. Some are; if the session ID cannot be reused or if it expires or a logout button is crawled, etc. The best thing to do is to try this method and see if your links crawled are links in which you need successful auth to access. That should be a key indicator of successful auth/coverage.
Yes this can be achieved with header injection. You can access this option in Web Application Edit under Scan Setting. Screenshot below. Here you can enter the valid session cookie.
I hope this helps you.
Hi Frank, thank you for your help. Can you explain how to capture the session cookie and if there are any limitations-caveats when doing WAS scans with this header injection?
If your trying to "capture" it I was thinking Selenium scripts. But if your able to reuse the session cookie then use what Frank suggested.
However; if your able to re-use session cookies you might have an issue as well.
My comments are worth what you paid for them.
Frank, thank you for your advice. Will do some tests now.
Retrieving data ...