Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
ADABAS to RDBMS UsingNatQuery. The following session will provide a high-level overview of NatQuerys ability to automatically extract ADABAS data from.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
AS ICT Finding your way round MS-Access The Home Ribbon This ribbon is automatically displayed when MS-Access is started and when existing tables.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
1 Web Services Visual C# 2008 Step by Step Chapter 30.
Esri International User Conference | San Diego, CA Technical Workshops | Managing and Editing Annotation Natalie Vines Samantha Keehan July 14, 2011.
Linux Operations and Administration
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
1 HTML and CGI Scripting CSC8304 – Computing Environments for Bioinformatics - Lecture 10.
Classroom User Training June 29, 2005 Presented by:
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Tutorial 1 Getting Started with Adobe Dreamweaver CS3
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
JavaScript, Fourth Edition
Miscellaneous Excel Combining Excel and Access. – Importing, exporting and linking Parsing and manipulating data. 1.
CSCI 6962: Server-side Design and Programming Web Services.
11 Web Services. 22 Objectives You will be able to Say what a web service is. Write and deploy a simple web service. Test a simple web service. Write.
1 Data Bound Controls II Chapter Objectives You will be able to Use a Data Source control to get data from a SQL database and make it available.
Chapter 8 Cookies And Security JavaScript, Third Edition.
10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CSCI 6962: Server-side Design and Programming Database Manipulation in ASP.
1 © Netskills Quality Internet Training, University of Newcastle HTML Forms © Netskills, Quality Internet Training, University of Newcastle Netskills is.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
FIX Eye FIX Eye Getting started: The guide EPAM Systems B2BITS.
1/62 Introduction to and Using MS Access Database Management and Analysis Yunho Song.
Accessing and Using Fire-Related Data with the CAPITA DataFed.net* Services Framework Stefan Falke Rudolf Husar Kari Hoijarvi Washington University in.
Copyright © 2012 UNICOM Systems, Inc. Confidential Information z/Ware Product Overview illustro Systems International A Division of UNICOM Global.
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations.
WWW: an Internet application Bill Chu. © Bei-Tseng Chu Aug 2000 WWW Web and HTTP WWW web is an interconnected information servers each server maintains.
3 Copyright © 2004, Oracle. All rights reserved. Working in the Forms Developer Environment.
2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.
SOAP-based Web Services Telerik Software Academy Software Quality Assurance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Web Services from 10,000 feet Part I Tom Perkins NTPCUG CertSIG XML Web Services.
ICM – API Server & Forms Gary Ratcliffe.
©SoftMooreSlide 1 Introduction to HTML: Forms ©SoftMooreSlide 2 Forms Forms provide a simple mechanism for collecting user data and submitting it to.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
RESTful Web Services What is RESTful?
Web Technologies Lecture 10 Web services. From W3C – A software system designed to support interoperable machine-to-machine interaction over a network.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
CPSC 203 Introduction to Computers T97 By Jie (Jeff) Gao.
Introduction to Web Services Presented by Sarath Chandra Dorbala.
IE Developer Tools Jonathan Seitel Program Manager.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Getting Started With HTML
Architecture Review 10/11/2004
z/Ware 2.0 Technical Overview
Web Systems Development (CSC-215)
Webscarab, an introduction.
WebScarab-NG: Autumn of Code 2006 Project
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October Advanced WebScarab Rogan Dawes, WebScarab project lead Senior Consultant, Deloitte South Africa

OWASP AppSec DC Who am I?  Day job  Senior Consultant, Deloitte South Africa, ERS  Security Assessments  Security Consulting  Night job  Self-taught Java programmer  Exodus  WebScarab

OWASP AppSec DC What is WebScarab?  A tool for anyone involved with HTTP-based applications (e.g. web applications)  Key features  Full visibility into the HTTP protocol  Also supports HTTPS (incl client certs)  Persistent audit trail can easily be reviewed  Primary uses  Security analysis  Application debugging

OWASP AppSec DC What does WebScarab do?  Allows user to view HTTP(S) conversations between browser and server  Allows user to review those conversations  Allows user to intercept and modify on the fly  Allows user to replay previous requests  Allows user to script conversations with full access to the the request and response object models  And much more!

OWASP AppSec DC Obtaining WebScarab  Hosted on Sourceforge   Various package formats  webscarab-installer-.jar  webscarab-selfcontained-.jar  webscarab-src-.jar  Windows IE Integration library  W32WinInet.dll  JavaHelp support

OWASP AppSec DC Setting up the environment  Upstream Proxies  Internet Explorer integration - “Get IE settings”  Exclusion list uses IE format  Certificates  PKCS#12 format files  Store password and key password usually identical  Server cert loaded from the.jar  MS CAPI integration coming (IE cert store)  Settings saved in properties file  ${user.home}/WebScarab.properties

OWASP AppSec DC Useful Tools  Shared Cookies  List of cookies seen by various plugins  Maintains history of previous cookies  Can add and delete cookies  Can be used by Manual Request and Spider plugins  Transcoder  URL {en,de}code  BASE64 {en,de}code  Hashing

OWASP AppSec DC Conversation viewer  Remembers size and placement  Splitpanes allow resizing Request / Response  Different “editors” for various Content-Type  Hex  Text  Image  HTML  XML  URL Encoded  Multi-part

OWASP AppSec DC Configuring Proxy Listeners  Listens on :8008 by default  Supports multiple listeners if required  “Uses plugins” optional  Internet Explorer Integration  Primary listener hijacks IE proxy settings on startup  Reverse proxy support  For hard-coded applications  Cannot be primary!  Network simulators  Latency and bandwidth

OWASP AppSec DC Manual Request  Creating from scratch  Based on previous request via drop-down  Automatic Content-Length adjustment  Only if the header already exists  Change to the “Raw” tab to get new editors  Checks Content-Type header  “Get Cookies” updates from “Shared Cookies”  “Update CookieJar” adds to “Shared Cookies”

OWASP AppSec DC Session ID Analysis  Quickly collect a large sample of cookies  Convert String to a (BIG) number  Default Calculator – per position character set  Various calculation algorithms possible  Changing calculators requires recompilation  Table shows calculations and differences  Graph allows visual identification of patterns

OWASP AppSec DC Session ID Analysis  Based on previous request from drop-down  Manual editing if necessary (e.g. HEAD vs GET)  Choose location of Session ID, and Name  Regex describes substring to extract  Default regex is (.*)  “Test” to see what is extracted  Specify number of samples

OWASP AppSec DC Demonstration  Collecting and graphing sessionids from WebGoat

OWASP AppSec DC Scripting support  Proxy beanshell public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { // your request modifications here response = nextPlugin.fetchResponse(request); // your response modifications here return response; }  Tools -> Script Manager  Plugins export hooks  Framework hook  Proxy hooks

OWASP AppSec DC Scripting support continued  Scripted Plugin  Multiple language support via BSF  BeanShell (tested)  Javascript, Jython, Groovy, etc (untested)  Documentation in the source code  ScriptedObjectModel.java  Most useful methods public Request getRequest(int id) public Response fetchResponse(Request request) public ConversationID addConversation(Response response) public void submitAsyncRequest(Request request) public Response getAsyncResponse()

OWASP AppSec DC Demonstration  Brute forcing a session ID

OWASP AppSec DC New plugins  Fuzzer  Search  Compare  Web Services

OWASP AppSec DC Fuzzer  Specify the method, URL and Version  Add any additional headers  Specify the parameters  Location (Path, Fragment, Query, Cookie, Body)  Name  Type (only String)  Value (used if not fuzzing this parameter)  Priority (controls the permutation algorithm)  Fuzz Source (a named list of fuzz strings)  GO!

OWASP AppSec DC Creating fuzz sources  Description  File name and location  Internal interface also supports programmatic generation of strings (e.g. length related), but this requires some coding  Fuzzer is extremely stupid  Only stops on errors (400 or exception)  Just hit Start again if it stops

OWASP AppSec DC Demonstration  Fuzzing for SQL injection errors

OWASP AppSec DC Search plugin  How do we find interesting results then?  Search plugin performs arbitrary matches against conversations  Description  Search expression  E.g: new String(response.getContent()).matches("(?is).*(error|exception).*")  (?is) matches multi-line, case-insensitive

OWASP AppSec DC Demonstration  Finding conversations with SQL injection errors

OWASP AppSec DC Compare  Compares the body of various responses  Select a baseline to compare against  Conversation list shows the “distance” from baseline (# words)  Can be sorted on any (combination of ) columns  Select a conversation to show both bodies

OWASP AppSec DC Web Services  Identifies WSDL in conversations  Can load from a file  Parses WSDL  Parses Schema (complex types!)  Presents Services and Operations  Constructs an Object hierarchy for editing  Converts to SOAP message  Invoke!  Currently RPC/encoded only

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October Questions? Rogan Dawes, WebScarab project lead Senior Consultant, Deloitte South Africa

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.