OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations.

Slides:



Advertisements
Similar presentations
PHP I.
Advertisements

JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.
23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.
24-Aug-14 HTML Forms. 2 What are forms? is just another kind of HTML tag HTML forms are used to create (rather primitive) GUIs on Web pages Usually the.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
1 Servlets Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
Chapter 51 Scripting With JSP Elements JavaServer Pages By Xue Bai.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Data Types in Java Data is the information that a program has to work with. Data is of different types. The type of a piece of data tells Java what can.
Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.
18-Jun-15 JSP Java Server Pages Reference: Tutorial/Servlet-Tutorial-JSP.html.
Eclipse[10] MIPSinEclipse. Overview Goal: To provide a friendly development environment for CS students programming in MIPS (particularly CS33 at UCLA),
Finding and Debugging Errors
DT228/3 Web Development JSP: Directives and Scripting elements.
CSC 2720 Building Web Applications Servlet – Getting and Setting HTTP Headers.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Javascript and the Web Whys and Hows of Javascript.
Introduction to Java Appendix A. Appendix A: Introduction to Java2 Chapter Objectives To understand the essentials of object-oriented programming in Java.
4.1 JavaScript Introduction
Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.
JavaScript & jQuery the missing manual Chapter 11
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
1 Chapter 1: Overview of Servlets and JavaSerevr Pages.
JavaScript, Fourth Edition
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
An program As a simple example of socket programming we can implement a program that sends to a remote site As a simple example of socket.
Li Tak Sing COMPS311F. Static attributes in Servlets Since Servlets are also Java classes, you can also use static attributes to store values that can.
16-Oct-15 JSP Implicit Objects. 2 JSP Implicit Objects are the Java objects that the JSP Container makes available to developers in each page and developer.
Introduction to JavaScript 41 Introduction to Programming the WWW I CMSC Winter 2004 Lecture 17.
 JAVA Compilation and Interpretation  JAVA Platform Independence  Building First JAVA Program  Escapes Sequences  Display text with printf  Data.
Mark Dixon 1 03 – Passing Data between pages: Forms, Sessions, & Query Strings.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Topic 1 Object Oriented Programming. 1-2 Objectives To review the concepts and terminology of object-oriented programming To discuss some features of.
Chapter 14 Abstract Classes and Interfaces. Abstract Classes An abstract class extracts common features and functionality of a family of objects An abstract.
Copyright © 2002 ProsoftTraining. All rights reserved. Java Servlets.
Sections © Copyright by Pearson Education, Inc. All Rights Reserved.
JSP BASICS AND ARCHITECTURE. Goals of JSP Simplify Creation of dynamic pages. Separate Dynamic and Static content.
CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, Responds oriented other.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
ICM – API Server & Forms Gary Ratcliffe.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Servlets 4 Lec 30 Web Design and Development. Looking Back… Response Redirection  Sending a standard redirect  Sending a redirect to an error page Request.
Project 5: Using Pop-Up Windows Essentials for Design JavaScript Level One Michael Brooks.
Chapter 4 Request and Response. Servlets are controlled by the container.
Bayu Priyambadha, S.Kom. Static content  Web Server delivers contents of a file (html) 1. Browser sends request to Web Server 3. Web Server sends HTML.
Defensive Programming. Good programming practices that protect you from your own programming mistakes, as well as those of others – Assertions – Parameter.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Object Oriented Programming in
Data Virtualization Tutorial… CORS and CIS
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
2.5 Another Java Application: Adding Integers
Testing and Debugging.
Pre assessment Questions
Pre-assessment Questions
Important terms Black-box testing White-box testing Regression testing
Important terms Black-box testing White-box testing Regression testing
Chapter 7 - JavaScript: Introduction to Scripting
JavaScript: Introduction to Scripting
WEB PROGRAMMING JavaScript.
Chap 1 Chap 2 Chap 3 Chap 5 Surprise Me
Tutorial 10: Programming with javascript
Chapter 7 - JavaScript: Introduction to Scripting
Chapter 7 - JavaScript: Introduction to Scripting
Chapter 7 - JavaScript: Introduction to Scripting
Presentation transcript:

OWASP WebScarab Uncovering the hidden treasures

Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations It was written by a techie for personal use Not always intuitive Hidden keystrokes Lack of examples

Objectives Show participants how some of the less obvious features work Using the spider Request Transforms Using the Fuzzer Comparing Responses Searching WebScarab history

Objectives Show participants how some of the less obvious features work Exploring the Beanshell Writing Proxy Intercept scripts Writing Script Manager Scripts Writing other scripts

WebScarab Spider

Huh - Shared Cookies?

Request Transforms

Using the Fuzzer You can hand craft a request, one parameter at a time

Using the Fuzzer Or you can use an existing request as a template!

Fuzzer – Parameter fields Location = Where the parameter can be found Path, Fragment do not work Name = Obvious Type = Meaningless (I can’t remember why I added it!) Value = default value when not being fuzzed Priority = drives the permutations. Same priority = lockstep, different = cross product

Fuzzer – Fuzz sources From a file (1 per line) From a regex

Fuzzer – Reviewing results

Searching in TextAreas Press Ctrl-F in the TextArea to show the Search Bar Or click in the TextArea, then click Find

Searching in TextAreas Search string is actually a regex. WebScarab highlights any groups specified This means you need to escape regex special characters!

Comparing responses

You can also view the changes in a single window, rather than side by side Pressing Ctrl-L in the compare window. This is a toggle key.

Searching history

Search expression is a BeanShell snippet BeanShell is just interpreted Java, with some leniencies Two predefined variables, request and response If the expression returns true, the conversation is shown Exceptions are counted as “false” Very powerful, but not terribly friendly

Request and Response API String getMethod() void setMethod(String method) HttpUrl getURL() void setURL(HttpUrl url) void setURL(String url) throws MalformedURLException String getVersion() void setVersion(String version) String getVersion() void setVersion(String version) String getStatus() void getStatus(String status) String getMessage() void setMessage(String message) String getStatusLine()

Message API String[] getHeaderNames() String getHeader(String name) void setHeader(String name, String value) void addHeader(String name, String value) void deleteHeader(String name) NamedValue[] getHeaders() void setheaders(NamedValue[] headers) byte[] getContent() void setContent(byte[] content)

Search expression examples response.toString().indexOf("alert") > -1 new String(response.content).indexOf(“alert”) > -1 request.getHeader(“Content-Type”).startsWith(“application”) request.getMethod().equals(“POST”) new String(response.content).matches("(?s).*\tat.*") // stack traces request.getURL().toString().startsWith(" && response.getHeader("Set-Cookie").indexOf(“secure”) == -1"

Exploring the BeanShell

Proxy -> BeanShell Allows scripted modifications to proxied conversations Useful for things like Ajax apps, or thick clients (think timeouts!) Scripts must follow a very simple template: import … public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response; }

Proxy -> BeanShell Probably the most useful “general” example: import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response; import org.owasp.webscarab.httpclient.HTTPClient; import java.io.IOException; import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame; public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response; }

Proxy->BeanShell Other simple examples: request.deleteHeader("HeaderName"); response = fetchResponse(request); request.deleteHeader("HeaderName"); response = fetchResponse(request); response.addheader("X-MyMarker", "I deleted HeaderName"); request.setHeader(“Cookie”, “JSESSIONID=somevalue”);

Script Manager An alternative way of executing scripts Script structure is somewhat different See the explanation for details E.g. Intercept Request Called when a new request has been submitted by the browser use connection.getRequest() and connection.setRequest(request) to perform changes request = connection.getRequest(); request.setHeader(“Cookie”, “JSESSIONID=somevalue”); connection.setRequest(request);

Script Manager Big difference is that you can load multiple scripts per hook Can be enabled and disabled independently

Script Manager caveat Watch out for declaring objects with the same names in multiple scripts, though. If you use formal declarations, BeanShell will error out and tell you that the object already exists. Response response = connection.getResponse(); I hope to fix this at some stage.

BeanShell persistence It is possible to persist values across script invocations import org.owasp.webscarab.model.*; Request r = connection.getRequest(); Integer i = bsf.lookupBean("count"); if (i == null) i = new Integer(0); if (i.intValue() %2 == 0) { // do something } i = new Integer(i.intValue()++); bsf.registerBean("count", i); connection.setRequest(r);

Scripted plugin Intended to replace “cat request | nc target 80 | grep... “ Allows for multi-threaded execution of requests (4 threads hardcoded) Object-oriented processing of results getConversationCount() getConversationAt(int) getRequest(int) getRequest(ConversationID) getResponse(int) getResponse(ConversationID) getConversationProperty(int, String) getConversationProperty(ConversationID, String) getChildCount(String) // == an URL getChildAt(String, int) // == an URL getUrlProperty(String, String) fetchResponse(Request) hasAsyncCapacity() submitAsyncRequest(Request) hasAsyncResponse() getAsyncResponse() isAsyncBusy() addConversation(Response)

Scripted plugin Complex example