Closed ethicalhack3r closed 8 years ago
If you use the nightlies and set a Cookie
HTTP header then whatever raw data you've provided should be preserved.
If you're just setting name/value pairs then there's no way for Arachni to know what to do, so it encodes them per the RFC.
Alternatively, you can use the CLI with the --http-cookie-string
option.
Ah! Makes sense, thanks for the info! :+1:
When supplying Http cookies in the profile editor via the web GUI in un-encoded format, the cookies get URL encoded when sent with requests rather than leaving them as input into the settings.
URL encoded cookies make the application I am testing throw an error as it expects them un-encoded.
This might be an edge case but it might be worth having an option to enable/disable URL encoding of the cookies that have been configured to be used. Or just use the value configured and do not do any encoding or decoding.