Ensure Burp and OWASP BWA VM are running and that Burp is configured in the Firefox browser used to view OWASP BWA applications.

1. From the OWASP BWA Landing page, click the link to the OWASP Mutillidae II application.
2. Open the Firefox Browser, to access the home page of OWASP Mutillidae II (URL:  http://<your_VM_assigned_IP_address>/mutillidae/). Make sure you are starting a fresh session and you are not logged in to the Mutillidae application:

3. Switch to the Proxy | HTTP history tab, and select the request showing your initial browse to the Mutillidae home page. Look for the GET request and its associated response containing Set-Cookie: assignments. Whenever you see this assignment, you can ensure you are getting a freshly created cookie for your session. Specifically, we are interested in the PHPSESSID cookie value.
4. Examine the end of the Set-Cookie: assignments lines. Notice the absence of the HttpOnly flag for both lines. This means the PHPSESSID and showhints cookie values are not protected from JavaScript manipulation. This is a security finding that you would include in your report: