Session Cookie

HostedScan supports setting custom cookies for the ZAP scanner. This may be a good option for a one-time scan. For recurring scheduled scans we recommend using the recorded login because a fixed cookie value will expire after some time.

Steps to configure a request cookie

1. Obtain a session cookie

Usually the easiest way to do this it to log in to the web application as you normally would. Then inspect the cookie storage using your browser's developer tools and find the session cookie.

2. Add the session cookie to your HostedScan target

• In your HostedScan account, edit the Target you are configuring for authenticated scanning.

  

• Configure the session cookie

  

• Exclude logout URLs from the scan

  Ensure that the scanner does not log out during the scan by excluding the logout URL(s).

  

3. Run a scan!

• Click the "New Scan" button
• Select the OWASP ZAP Active Web Application Scan
• Select your target
• Continue through the scan options and click "Run Scan"