Scan settings: Cookies/Headers

To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Cookies/Headers.

Standard header parameters

The options in this section are described in the following table.

Option Description
Include 'referer' in HTTP request headers Select this check box to include referer headers in OpenText DAST HTTP requests. The Referer request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained.
Include 'host' in HTTP request headers Select this check box to include host headers with OpenText DAST HTTP requests. The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource (generally an HTTP URL).

Append custom headers

Use this section to add, edit, or delete headers that will be included with each audit OpenText DAST performs. For example, you could add a header such as "Alert: You are being attacked by Consultant ABC" that would be included with every request sent to your company's server when OpenText DAST is auditing that site. You can add multiple custom headers.

The default custom headers are described in the following table.

Header Description
Accept: */* Any encoding or file type is acceptable to the crawler.
Pragma: no-cache This forces a fresh response; cached or proxied data is not acceptable.
Accept-Encoding: gzip, deflate

The client requests that the server uses one of the specified encoding methods.

Adding a custom header

To add a custom header:

  1. Click Add.

    The Specify Custom Header window opens.

  2. In the Custom Header box, enter the header using the format <name>: <value>.

  3. Click OK.

Append custom cookies

Use this section to specify data that will be sent with the Cookie header in HTTP requests sent by OpenText DAST to the server when conducting a vulnerability scan.

The default custom cookie used to flag the scan traffic is:

CustomCookie=WebInspect;path=/

Tip: The equal sign (=) is the delimiter between the name CustomCookie and the value WebInspect. The path=/ specifies that the cookie applies to all requests. The custom cookie named WebInspect has special processing. Other custom cookies with different names are treated as standard cookies.

Adding a custom cookie

To add a custom cookie:

  1. Click Add.

    The Specify Custom Cookie window opens.

  2. In the Custom Cookie box, enter the cookie using the format <name>=<value>.

    For example, if you enter

    CustomCookie=ScanEngine

    then each HTTP-Request will contain the following header:

    Cookie: CustomCookie=ScanEngine

    Tip: If you create a custom cookie and specify the path=/xyz, then the custom cookie would only appear in requests starting with "/xyz".

  3. Click OK.

See also

Scan settings: Allowed Hosts

Scan settings: Authentication

Scan settings: Custom Parameters

Scan settings: File Not Found

Scan settings: Filters

Scan settings: General

Scan settings: HTTP Parsing

Scan settings: JavaScript

Scan settings: Method

Scan settings: Policy

Scan settings: Proxy

Scan settings: Requestor

Scan settings: Session Exclusions

Scan settings: User Agent