Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view OWASP BWA applications.
- From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
- Open the Firefox Browser, to access the home page of OWASP Mutillidae II (URL: http://<your_VM_assigned_IP_address>/mutillidae/). Make sure you are starting a fresh session and you are not logged in to the Mutillidae application:
- Switch to the Proxy | HTTP history tab, and select the request showing your initial browse to the Mutillidae home page. Look for the GET request and its associated response containing Set-Cookie: assignments. Whenever you see this assignment, you can ensure you are getting a freshly created cookie for your session. Specifically, we are interested in the PHPSESSID cookie value.
- Examine the end of the Set-Cookie: assignments lines. Notice the absence of the HttpOnly flag for both lines. This means the PHPSESSID and showhints cookie values are not protected from JavaScript manipulation. This is a security finding that you would include in your report: