Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations.

Published byJeffery Sutton Modified over 9 years ago

Similar presentations

Presentation on theme: "OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations."— Presentation transcript:

1 OWASP WebScarab Uncovering the hidden treasures

2 Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations It was written by a techie for personal use Not always intuitive Hidden keystrokes Lack of examples

3 Objectives Show participants how some of the less obvious features work Using the spider Request Transforms Using the Fuzzer Comparing Responses Searching WebScarab history

4 Objectives Show participants how some of the less obvious features work Exploring the Beanshell Writing Proxy Intercept scripts Writing Script Manager Scripts Writing other scripts

5 WebScarab Spider

6 Huh - Shared Cookies?

7 Request Transforms

8 Using the Fuzzer You can hand craft a request, one parameter at a time

9 Using the Fuzzer Or you can use an existing request as a template!

10 Fuzzer – Parameter fields Location = Where the parameter can be found Path, Fragment do not work Name = Obvious Type = Meaningless (I can’t remember why I added it!) Value = default value when not being fuzzed Priority = drives the permutations. Same priority = lockstep, different = cross product

11 Fuzzer – Fuzz sources From a file (1 per line) From a regex

12 Fuzzer – Reviewing results

13

14 Searching in TextAreas Press Ctrl-F in the TextArea to show the Search Bar Or click in the TextArea, then click Find

15 Searching in TextAreas Search string is actually a regex. WebScarab highlights any groups specified This means you need to escape regex special characters!

16 Comparing responses

17 You can also view the changes in a single window, rather than side by side Pressing Ctrl-L in the compare window. This is a toggle key.

18 Searching history

19 Search expression is a BeanShell snippet BeanShell is just interpreted Java, with some leniencies Two predefined variables, request and response If the expression returns true, the conversation is shown Exceptions are counted as “false” Very powerful, but not terribly friendly

20 Request and Response API String getMethod() void setMethod(String method) HttpUrl getURL() void setURL(HttpUrl url) void setURL(String url) throws MalformedURLException String getVersion() void setVersion(String version) String getVersion() void setVersion(String version) String getStatus() void getStatus(String status) String getMessage() void setMessage(String message) String getStatusLine()

21 Message API String[] getHeaderNames() String getHeader(String name) void setHeader(String name, String value) void addHeader(String name, String value) void deleteHeader(String name) NamedValue[] getHeaders() void setheaders(NamedValue[] headers) byte[] getContent() void setContent(byte[] content)

22 Search expression examples response.toString().indexOf("alert") > -1 new String(response.content).indexOf(“alert”) > -1 request.getHeader(“Content-Type”).startsWith(“application”) request.getMethod().equals(“POST”) new String(response.content).matches("(?s).*\tat.*") // stack traces request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf(“secure”) == -1"https://"

23 Exploring the BeanShell

24 Proxy -> BeanShell Allows scripted modifications to proxied conversations Useful for things like Ajax apps, or thick clients (think timeouts!) Scripts must follow a very simple template: import … public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response; }

25 Proxy -> BeanShell Probably the most useful “general” example: import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response; import org.owasp.webscarab.httpclient.HTTPClient; import java.io.IOException; import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame; public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response; }

26 Proxy->BeanShell Other simple examples: request.deleteHeader("HeaderName"); response = fetchResponse(request); request.deleteHeader("HeaderName"); response = fetchResponse(request); response.addheader("X-MyMarker", "I deleted HeaderName"); request.setHeader(“Cookie”, “JSESSIONID=somevalue”);

27 Script Manager An alternative way of executing scripts Script structure is somewhat different See the explanation for details E.g. Intercept Request Called when a new request has been submitted by the browser use connection.getRequest() and connection.setRequest(request) to perform changes request = connection.getRequest(); request.setHeader(“Cookie”, “JSESSIONID=somevalue”); connection.setRequest(request);

28 Script Manager Big difference is that you can load multiple scripts per hook Can be enabled and disabled independently

29 Script Manager caveat Watch out for declaring objects with the same names in multiple scripts, though. If you use formal declarations, BeanShell will error out and tell you that the object already exists. Response response = connection.getResponse(); I hope to fix this at some stage.

30 BeanShell persistence It is possible to persist values across script invocations import org.owasp.webscarab.model.*; Request r = connection.getRequest(); Integer i = bsf.lookupBean("count"); if (i == null) i = new Integer(0); if (i.intValue() %2 == 0) { // do something } i = new Integer(i.intValue()++); bsf.registerBean("count", i); connection.setRequest(r);

31 Scripted plugin Intended to replace “cat request | nc target 80 | grep... “ Allows for multi-threaded execution of requests (4 threads hardcoded) Object-oriented processing of results getConversationCount() getConversationAt(int) getRequest(int) getRequest(ConversationID) getResponse(int) getResponse(ConversationID) getConversationProperty(int, String) getConversationProperty(ConversationID, String) getChildCount(String) // == an URL getChildAt(String, int) // == an URL getUrlProperty(String, String) fetchResponse(Request) hasAsyncCapacity() submitAsyncRequest(Request) hasAsyncResponse() getAsyncResponse() isAsyncBusy() addConversation(Response)

32 Scripted plugin Complex example

Download ppt "OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations."

Similar presentations

PHP I.

PHP I.
JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.

JavaScript I. JavaScript is an object oriented programming language used to add interactivity to web pages. Different from Java, even though bears some.
23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.

23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.
24-Aug-14 HTML Forms. 2 What are forms? is just another kind of HTML tag HTML forms are used to create (rather primitive) GUIs on Web pages Usually the.

24-Aug-14 HTML Forms. 2 What are forms? is just another kind of HTML tag HTML forms are used to create (rather primitive) GUIs on Web pages Usually the.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
1 Servlets Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun.

1 Servlets Based on Notes by Dave Hollinger & Ethan Cerami Also, the Online Java Tutorial by Sun.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
Chapter 51 Scripting With JSP Elements JavaServer Pages By Xue Bai.

Chapter 51 Scripting With JSP Elements JavaServer Pages By Xue Bai.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Data Types in Java Data is the information that a program has to work with. Data is of different types. The type of a piece of data tells Java what can.

Data Types in Java Data is the information that a program has to work with. Data is of different types. The type of a piece of data tells Java what can.
Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.

Chris Shuster. Overview Hacking White Hat Black Hat Web Hacking.
18-Jun-15 JSP Java Server Pages Reference: Tutorial/Servlet-Tutorial-JSP.html.

18-Jun-15 JSP Java Server Pages Reference: Tutorial/Servlet-Tutorial-JSP.html.
Eclipse[10] MIPSinEclipse. Overview Goal: To provide a friendly development environment for CS students programming in MIPS (particularly CS33 at UCLA),

Eclipse[10] MIPSinEclipse. Overview Goal: To provide a friendly development environment for CS students programming in MIPS (particularly CS33 at UCLA),
Finding and Debugging Errors

Finding and Debugging Errors
DT228/3 Web Development JSP: Directives and Scripting elements.

DT228/3 Web Development JSP: Directives and Scripting elements.
CSC 2720 Building Web Applications Servlet – Getting and Setting HTTP Headers.

CSC 2720 Building Web Applications Servlet – Getting and Setting HTTP Headers.
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.

Similar presentations

Ads by Google