diff --git a/doc/wapiti.1 b/doc/wapiti.1
index 75282b250..983c87dc3 100644
--- a/doc/wapiti.1
+++ b/doc/wapiti.1
@@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
-.TH "WAPITI" "1" "March 2024" "" ""
+.TH "WAPITI" "1" "August 2024" "" ""
.
.SH "NAME"
\fBwapiti\fR \- A web application vulnerability scanner in Python
@@ -101,6 +101,9 @@ PROXY AND AUTHENTICATION OPTIONS:
\fB\-c\fR, \fB\-\-cookie\fR \fICOOKIE_FILE_OR_BROWSER_NAME\fR
.
.IP "\(bu" 4
+\fB\-C\fR, \fB\-\-cookie\-value\fR \fICOOKIE_VALUE\fR
+.
+.IP "\(bu" 4
\fB\-\-drop\-set\-cookie\fR
.
.IP "" 0
@@ -138,6 +141,9 @@ SCAN AND ATTACKS TUNING:
\fB\-x\fR, \fB\-\-exclude\fR \fIURL\fR
.
.IP "\(bu" 4
+\fB\-\-swagger\fR \fIURL\fR
+.
+.IP "\(bu" 4
\fB\-r\fR, \fB\-\-remove\fR \fIPARAMETER\fR
.
.IP "\(bu" 4
@@ -439,6 +445,9 @@ Load cookies from a Wapiti JSON cookie file\. See wapiti\-getcookie(1) for more
You can also import cookies from your browser by passing "chrome" or "firefox" as value (MS Edge is not supported)\.
.
.IP "\(bu" 4
+\fB\-C\fR, \fB\-\-cookie\-value\fR \fICOOKIE_VALUE\fR Set cookies from a valid user cookies\. You can import all the session cookies by copying the value of the cookies sent with headers from a request sent by an authenticated user\. For example: \-\-cookie\-value "PHPSESSIONID=5f4dcc3b5aa765d61d8327deb882cf99;cookie_2=somevalue"
+.
+.IP "\(bu" 4
\fB\-\-drop\-set\-cookie\fR
.
.br
@@ -526,22 +535,19 @@ Prevent the given URL from being scanned\. Common use is to exclude the logout U
This option can be applied several times\. Excluded URL given as a parameter can contain wildcards for basic pattern matching\.
.
.IP "\(bu" 4
-\fB\-r\fR, \fB\-\-remove\fR \fIPARAMETER\fR
-.
-.br
-If the given parameter is found in scanned URL it will be automatically removed (URLs are edited)\.
+\fB\-\-swagger\fR \fIURL\fR
.
.br
-This option can be used several times\.
+Extract API requests from the specified Swagger file\. Extracted requests are added to the crawler\.
.
.IP "\(bu" 4
-\fB\-\-swagger\fR \fIURL\fR
+\fB\-r\fR, \fB\-\-remove\fR \fIPARAMETER\fR
.
.br
-Extract API requests from the specified Swagger file\.
+If the given parameter is found in scanned URL it will be automatically removed (URLs are edited)\.
.
.br
-Extracted requests are added to the crawler\.
+This option can be used several times\.
.
.IP "\(bu" 4
\fB\-\-skip\fR \fIPARAMETER\fR
diff --git a/doc/wapiti.1.html b/doc/wapiti.1.html
index 3bdb6ecf6..8cfa663c1 100644
--- a/doc/wapiti.1.html
+++ b/doc/wapiti.1.html
@@ -141,6 +141,7 @@ OPTIONS SUMMARY
--form-enctype ENCTYPE
--form-script FILENAME
-c, --cookie COOKIE_FILE_OR_BROWSER_NAME
+-C, --cookie-value COOKIE_VALUE
--drop-set-cookie
@@ -317,6 +318,10 @@ PROXY AND AUTHENTICATION
-c, --cookie COOKIE_FILE_OR_BROWSER_NAME
Load cookies from a Wapiti JSON cookie file. See wapiti-getcookie(1) for more information.
You can also import cookies from your browser by passing "chrome" or "firefox" as value (MS Edge is not supported).
+-C, --cookie-value COOKIE_VALUE
+Set cookies from a valid user cookies.
+You can import all the session cookies by copying the value of the cookies sent with headers from a request sent by an authenticated user.
+For example: --cookie-value "PHPSESSIONID=5f4dcc3b5aa765d61d8327deb882cf99;cookie_2=somevalue"
--drop-set-cookie
Ignore cookies given in HTTP responses. Cookies that have been loaded using -c will be kept.
@@ -360,7 +365,7 @@ SCAN AND ATTACKS TUNING
This option can be applied several times. Excluded URL given as a parameter can contain wildcards for basic pattern matching.
--swagger URL
Extract API requests from the specified Swagger file.
-Extracted requests are added to the crawler.
+Extracted requests are added to the crawler.
-r, --remove PARAMETER
If the given parameter is found in scanned URL it will be automatically removed (URLs are edited).
This option can be used several times.
@@ -525,7 +530,7 @@ SEE ALSO
diff --git a/doc/wapiti.ronn b/doc/wapiti.ronn
index 64d5e27b8..3f801511b 100644
--- a/doc/wapiti.ronn
+++ b/doc/wapiti.ronn
@@ -49,6 +49,7 @@ PROXY AND AUTHENTICATION OPTIONS:
* `--form-enctype`
* `--form-script`
* `-c`, `--cookie`
+ * `-C`, `--cookie-value`
* `--drop-set-cookie`
SESSION OPTIONS:
@@ -201,6 +202,11 @@ OTHER OPTIONS:
* `-c`, `--cookie`
Load cookies from a Wapiti JSON cookie file. See wapiti-getcookie(1) for more information.
You can also import cookies from your browser by passing "chrome" or "firefox" as value (MS Edge is not supported).
+
+ * `-C`, `--cookie-value`
+ Set cookies from a valid user cookies.
+ You can import all the session cookies by copying the value of the cookies sent with headers from a request sent by an authenticated user.
+ For example: --cookie-value "PHPSESSIONID=5f4dcc3b5aa765d61d8327deb882cf99;cookie_2=somevalue"
* `--drop-set-cookie`
Ignore cookies given in HTTP responses. Cookies that have been loaded using `-c` will be kept.
diff --git a/wapitiCore/main/wapiti.py b/wapitiCore/main/wapiti.py
index e9a851656..8c5673bba 100755
--- a/wapitiCore/main/wapiti.py
+++ b/wapitiCore/main/wapiti.py
@@ -284,6 +284,9 @@ async def wapiti_main():
if "user_agent" in args:
wap.add_custom_header("User-Agent", args.user_agent)
+ if "cookie_value" in args:
+ wap.add_custom_header("Cookie", args.cookie_value)
+
for custom_header in args.headers:
if ":" in custom_header:
hdr_name, hdr_value = custom_header.split(":", 1)
diff --git a/wapitiCore/parsers/commandline.py b/wapitiCore/parsers/commandline.py
index 47fc91832..04245225b 100644
--- a/wapitiCore/parsers/commandline.py
+++ b/wapitiCore/parsers/commandline.py
@@ -226,6 +226,16 @@ def parse_args():
metavar="COOKIE_FILE"
)
+ parser.add_argument(
+ "-C", "--cookie-value",
+ default=argparse.SUPPRESS,
+ help=("Set a cookie to use for every request for authenticated scan.\n"
+ "You can put multiple cookies separated by semicolons as a value"
+ ),
+ metavar="COOKIE_VALUE",
+ dest="cookie_value"
+ )
+
parser.add_argument(
"--drop-set-cookie",
action="store_true",