Cookie Jar

The Cookie Jar centralises cookie inspection and editing across the project. Every cookie set by any captured response lands here, queryable by domain, name, and value. Edit cookies directly to test access control variations, export them for reuse in scripts, or import known cookies before starting a test.

🔗What’s Captured

Every Set-Cookie header from every response. Per-cookie:

  • Name + value
  • Domain (the actual Domain= attribute, or the response host as fallback)
  • Path
  • Expires / Max-Age
  • HttpOnly flag
  • Secure flag
  • SameSite attribute
  • Source flow ID
  • First-seen / last-modified timestamps

When a cookie is updated by a later response, the value rotates and history is preserved.

🔗Filters

  • Domain — substring match
  • Name — substring match
  • Has flags — toggle filters for HttpOnly / Secure / SameSite
  • Expired — toggle to show only expired cookies (helpful for cleanup)
  • From scope only — limit to cookies set by in-scope hosts

Click any cookie row for the detail pane:

  • All attributes
  • Source flow (click to open)
  • Update history (every response that mutated this cookie’s value)
  • Decoded view if the value is Base64 / URL-encoded / JSON / JWT (auto-detected)

🔗Editing

Cookies are editable in place:

  • Edit value — modify the cookie value; affects future requests through the proxy that match the cookie’s domain + path
  • Toggle flags — Secure / HttpOnly / SameSite
  • Set expiry
  • Delete — removes from the jar

🔗Import / Export

🔗Export

  • JSON — full jar with all attributes
  • Netscape format — for curl --cookie and other tools

🔗Import

  • Paste / upload cookies in JSON or Netscape format

🔗From-Flows Action

The From Flows action rebuilds the jar from a selection of flows. Useful when you’ve captured a clean session you want to reset to.

🔗Purge Expired

The Purge Expired action removes all cookies past their Expires / Max-Age time. Run periodically to keep the jar clean.

🔗Per-Domain Stats

The Domains sub-view groups cookies by domain with stats: cookie count, count missing Secure / HttpOnly / SameSite, count of cookies set on subdomains.

Useful for security posture reporting — “the customer’s auth cookie is missing HttpOnly across 12 of 14 subdomains”.

🔗Integration

  • Repeater — when sending a request, the jar’s matching cookies are included automatically (configurable per-tab)
  • Intruder / Scanner — same auto-include behaviour
  • Crawler — uses the jar for authenticated crawls
  • Match & Replace rules can target the Cookie header directly

🔗MCP

The cookie_jar MCP tool exposes:

  • list — all cookies (with optional domain/name filters)
  • get — one cookie by id
  • set — add or update a cookie
  • delete — remove a cookie
  • clear — empty the jar
  • domains — list domains with cookie counts
  • export (json or netscape)
  • import (json or netscape)
  • from_flows — rebuild from selected flow IDs
  • expired — list expired cookies
  • purge_expired — delete all expired cookies