WebScarab-NG: Autumn of Code 2006 Project

Slides:



Advertisements
Similar presentations
Creating an EDS Search Box Using EBSCO’s Search Box Builder Tool
Advertisements

Using the Self Service BMC Helpdesk
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
ITEC 1001 Tutorial 1 Using Common Features of Microsoft Office 2003.
User Training. Step 1 Press Ctrl-I or choose File > Login, this will open the Login window. Figure 1-1 shows the Login window. Figure 1-1 Login Window.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
XP Using Common Features of Microsoft Office Tutorial 1.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
ADVANCED MICROSOFT POWERPOINT Lesson 6 – Creating Tables and Charts
2. Introduction to the Visual Studio.NET IDE 2. Introduction to the Visual Studio.NET IDE Ch2 – Deitel’s Book.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Classroom User Training June 29, 2005 Presented by:
XP New Perspectives on Introducing Microsoft Office XP Tutorial 1 1 Introducing Microsoft Office XP Tutorial 1.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
JavaScript, Fourth Edition
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.
XP New Perspectives on Integrating Microsoft Office XP Tutorial 2 1 Integrating Microsoft Office XP Tutorial 2 – Integrating Word, Excel, and Access.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Just as there are many human languages, there are many computer programming languages that can be used to develop software. Some are named after people,
Key Applications Module Lesson 21 — Access Essentials
XP New Perspectives on Integrating Microsoft Office XP Tutorial 3 1 Integrating Microsoft Office XP Tutorial 3 – Integrating Word, Excel, Access, and PowerPoint.
For additional assistance, please call the Help Desk Searching 1. If a Search window does not appear after logging into the system, click the Search icon.
FIX Eye FIX Eye Getting started: The guide EPAM Systems B2BITS.
3 Copyright © 2004, Oracle. All rights reserved. Working in the Forms Developer Environment.
SPI NIGHTLIES Alex Hodgkins. SPI nightlies  Build and test various software projects each night  Provide a nightlies summary page that displays all.
MS Excel Lesson 1. Starting Excel Excel opens to a list of templates and in most cases you choose Blank workbook or open a previous file. Think of a workbook.
Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.
MIS Week 5 Site:
Software Development Languages and Environments. Computer Languages Just as there are many human languages, there are many computer programming languages.
Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.
1 Terminal Management System Usage Overview Document Version 1.1.
Hudson Fare Files 103 – Alternate Fare Files
Core LIMS Training: Project Management
Managing State Chapter 13.
Helping Yourself in PD2 SPS Spotlight Series July 2015.
KARES Demonstration.
Working with Data Blocks and Frames
Project Management: Messages
Creating Oracle Business Intelligence Interactive Dashboards
Working in the Forms Developer Environment
CARA 3.10 Major New Features
LMEvents SharePoint Portal How-to Guide
Single Sample Registration
Lawson System Foundation 9.0
COSC-4840 Software Engineering
Boeing Supply Chain Platform (BSCP) Detailed Training
CCA Skill Certification
Active Orders Supplier Administrator Training Getting Started Activities This training presentation describes the Getting Started activities that will.
Exploring Microsoft® Access® 2016 Series Editor Mary Anne Poatsy
Creating and Modifying Queries
Application layer Lecture 7.
Tutorial 6 Creating Dynamic Pages
Webscarab, an introduction.
Skype for Business Webinar Meeting
Using JDeveloper.
Genome Workbench Chuong Huynh NIH/NLM/NCBI New Delhi, India
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
Microsoft Office Access 2003
IBM SCPM Basic Navigation
Guidelines for Microsoft® Office 2013
By Rajanikanth B Eclipse IDE Overview By Rajanikanth B
Cases Admin Training.
Java Code Review with CheckStyle
EViews Training The Basics: EViews Desktop, Workfiles and Objects Note: Data and Workfiles for examples in this tutorial are: Data: Data.xlsx Results:
Presentation transcript:

WebScarab-NG: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebScarab Project Lead: Rogan Dawes rogan@dawes.za.net

What is WebScarab? A tool for anyone involved with HTTP-based applications (e.g. web applications) Key features Full visibility into the HTTP protocol Ability to modify HTTP requests in any way Also supports HTTPS (incl client certs) Persistent audit trail can easily be reviewed Primary uses Security analysis, Web Application debugging This is talking about OLD WebScarab

Who is writing WebScarab-NG? Rogan Dawes rogan@dawes.za.net Lives in South Africa (Just had his first baby May 3rd (Connor Michael Hastings Dawes), otherwise he’d be here!!) Has been developing proxy tools for a while First Mangle (in perl), then Exodus (in Java) Then WebScarab and now WebScarab-NG Currently works for Aspect Security

What is wrong with WebScarab? “Plainly put - WebScarab’s UI is a disaster!” – Rogan Dawes – Author of WebScarab One of the major reasons for a rewrite of WebScarab was the user interface. In the first place, all the functionality (plugins) can be quite intimidating for a newcomer. There have also been many complaints about non-intuitiveness of the interface, and even little things like “right-click copy and paste menus” were not available. Going through the entire application and trying to retro-fit this seemed like a huge task, for little reward. Another reason was the close coupling between the underlying data model and the presentation layer, as well as the thousands of files that WebScarab typically writes while recording a session (even temporary sessions!) Unfortunately, these design decisions are not easy to fix in the existing code.

WebScarab Deficiencies - Summary UI – Not Intuitive Expected UI sugar, like “right-click copy and paste menus”, etc. not available Trying to retro-fit a huge task Extensive functionality (plugins) intimidating Close coupling between underlying data model and the presentation layer 1000s of files WebScarab writes to record a session (even temporary sessions!)

The solution: WebScarab-NG WebScarab makes use of an application framework called the Spring Framework, as well as the Spring Rich Client Platform (RCP). This gives us tons of (Human Interface Guidelines-compliant) stuff, almost without effort: Easy internationalisation of text Automatic “copy and paste” menus Robust command framework – automatic activation and deactivation of commands when appropriate Intuitive separation of View from Model/Data Layer Spring JDBC code is very easy to write etc, etc You might want to point out that you can select which columns you are interested in in the “Conversations” view

WebScarab-NG Benefits Using Spring we get tons of (Human Interface Guidelines-compliant) stuff, almost without effort Easy internationalization of text Automatic “copy and paste” menus Robust command framework – automatic activation and deactivation of commands when appropriate Intuitive separation of View from Model/Data Layer Spring JDBC code also very easy to write

Current WebScarab-NG features Intercepting Proxy Intercept and modify HTTP(S) conversations Manual Request Modify and replay requests Flexible perspectives Eclipse-like Can choose which views to include Data written to a local in-process database Runs using Java Web Start Automatic updates! But lots of WebScarab Features not yet ported Perspectives are still under development. Interesting statistic: WS-NG is seeing quite extensive use from 390 unique IP addresses over the last 32 days. 1 person/organisation has run it at least 200 times!

WebScarab-NG special features Proxy control bar Stays on top Drop down control of request intercept Annotate the next conversation to be made Docking framework Validation The Proxy Control Bar stays on top of all windows, and can be easily positioned e.g. over the title bar of your browser The description entered is used to document the next conversation to pass through the proxy. This helps to explain why certain series of requests were made. E.g. “Pressed login button” The docking framework allows the user to configure WS-NG to their layout preferences (although it doesn’t currently record those preferences!) The dynamic validation prompts the user when they have entered invalid data, and automatically disables buttons/commands

WebScarab-NG – finding conversations Select URL(s) to filter conversation list Filter further by keyword or search (Ctrl-F) Clicking on one or more URL’s in the site map will restrict the conversations shown to those “under” the selected hierarchies. This helps to exclude sites that you are not interested in. Typing text into the “filter” text field dynamically (as you type) restricts the results to those that contain the desired string You can also search for text in the table via the Ctrl-F find dialog At this stage, you can demonstrate WS-NG in action, accessing WebGoat, for example. E.g. Show how the proxy tool bar works, enable and disable intercepts, make an annotation in the toolbar, and show how it appears in the conversation list. Edit the annotation and show that it gets updated. Show the immediate validation in the “Intercept Request” function (when editing in the tree mode, it only kicks in after the cell is finished being edited)

So why use the old WebScarab? Reliability – extensive testing over 4 years More features Web Services support Transcoder (An encoder / decoder) Include/Exclude Filters Reverse proxy Spider XSS/CRLF injection tests Session ID Analysis Scripting engine Fuzzer Advanced Search SSL Client certificate support More testing of WS-NG is obviously appreciated – report findings to the owasp-webscarab mailing list You may want to show some of the features of old WS at this point. I don’t want to make slides for this, since it is kind of silly to switch from WS to Powerpoint just to advance to another “Demonstration: “ slide, and switch back to WS.

The future of WebScarab (-NG) Significant new development only on –NG Unless we get patches  OWASP Spring of Code 2007 Implementation of automated testing Record and replay test cases Reimplementation of major features Spider (incl forms!) Web Services Reverse Proxy Improved Session ID analysis Scripting Engine Automated identity tracking The automated identity tracking will be able to associate an identity with a conversation, based on session id (with lifetime management), Basic Auth, etc. A request might end up with multiple identities if conflicting identifiers are sent. This should make it easy to automate identification of the site’s access control matrix

Questions and Answers Q & Q U E S T I O N S A N S W E R S A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.