AnsweredAssumed Answered

Qualys WAS with Header Injection

Question asked by Manish Rana on Feb 3, 2017
Latest reply on Feb 8, 2017 by Sheela Sarva

Hi,

 

I have a question on Qualys WAS with header injection. Is it necessary to scan a web application in the same browser in which web application cookie is captured. Consider this example:

A website www.example.com need to be scanned with header injection. The application authenticates and stores the auth information in a cookie named ExampleAuthCookie. I open a browser (lets say chrome) and authenticate into the application so that ExampleAuthCookie with value is stored in the browser cache. Now I open Qualys WAS and initiate a scan in another browser (lets say mozilla) with header injection and provide the Cookie header with value. 

 

If Qualys is not able to crawl authorized links of website then what could be the possible reason? Could it be that I used different browsers for storing cookie and scanning?

Outcomes