Scribd
Upload
75 views32 pages

Owasp Webscarab: Uncovering The Hidden Treasures

WebScarab is a tool for analyzing web application security. It allows users to spider sites, transform requests, fuzz parameters, and compare responses. Less obvious features include using the BeanShell scripting language to modify requests and responses during proxying, and the Script Manager for executing multiple scripts at different points. Scripts can persist data across invocations. The tool also supports a scripted plugin interface for multi-threaded testing.

Uploaded by

weilingkway
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
75 views32 pages

Owasp Webscarab: Uncovering The Hidden Treasures

WebScarab is a tool for analyzing web application security. It allows users to spider sites, transform requests, fuzz parameters, and compare responses. Less obvious features include using the BeanShell scripting language to modify requests and responses during proxying, and the Script Manager for executing multiple scripts at different points. Scripts can persist data across invocations. The tool also supports a scripted plugin interface for multi-threaded testing.

Uploaded by

weilingkway
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 32

OWASP WebScarab

Uncovering the hidden treasures

Overview
WebScarab aims to facilitate the review of web applications Functional operations Security Operations It was written by a techie for personal use

Not always intuitive


Hidden keystrokes

Lack of examples

Objectives
Show participants how some of the less obvious features work Using the spider Request Transforms Using the Fuzzer

Comparing Responses
Searching WebScarab history

Objectives
Show participants how some of the less obvious features work Exploring the Beanshell Writing Proxy Intercept scripts Writing Script Manager Scripts

Writing other scripts

WebScarab Spider

Huh - Shared Cookies?

Request Transforms

Using the Fuzzer


You can hand craft a request, one parameter at a time

Using the Fuzzer


Or you can use an existing request as a template!

Fuzzer Parameter fields


Location = Where the parameter can be found Path, Fragment do not work Name = Obvious Type = Meaningless (I cant remember why I added it!)

Value = default value when not being fuzzed


Priority = drives the permutations.

Same priority = lockstep, different = cross product

Fuzzer Fuzz sources


From a file (1 per line)

From a regex

Fuzzer Reviewing results

Fuzzer Reviewing results

Searching in TextAreas
Press Ctrl-F in the TextArea to show the Search Bar

Or click in the TextArea, then click Find

Searching in TextAreas
Search string is actually a regex. WebScarab highlights any groups specified

This means you need to escape regex special characters!

Comparing responses

Comparing responses
You can also view the changes in a single window, rather than side by side Pressing Ctrl-L in the compare window. This is a toggle key.

Searching history

Searching history
Search expression is a BeanShell snippet BeanShell is just interpreted Java, with some leniencies Two predefined variables, request and response If the expression returns true, the conversation is shown

Exceptions are counted as false


Very powerful, but not terribly friendly

Request and Response API


String getMethod() void setMethod(String method) String getVersion() void setVersion(String version)

HttpUrl getURL()
void setURL(HttpUrl url)

String getStatus()
void getStatus(String status)

void setURL(String url) throws MalformedURLException


String getVersion()

String getMessage()
void setMessage(String message) String getStatusLine()

void setVersion(String version)

Message API
String[] getHeaderNames() String getHeader(String name)

void setHeader(String name, String value)


void addHeader(String name, String value) void deleteHeader(String name) NamedValue[] getHeaders() void setheaders(NamedValue[] headers)

byte[] getContent()
void setContent(byte[] content)

Search expression examples


response.toString().indexOf("alert") > -1 new String(response.content).indexOf(alert) > -1 request.getHeader(Content-Type).startsWith(application) request.getMethod().equals(POST)

new String(response.content).matches("(?s).*\tat .*") // stack traces


request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf(secure) == -1

Exploring the BeanShell

Proxy -> BeanShell


Allows scripted modifications to proxied conversations Useful for things like Ajax apps, or thick clients (think timeouts!) Scripts must follow a very simple template: import <whatever classes you use> public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response; }

Proxy -> BeanShell


Probably the most useful general example: import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response; import org.owasp.webscarab.httpclient.HTTPClient; import java.io.IOException; import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame; public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response; }

Proxy->BeanShell
Other simple examples: request.deleteHeader("HeaderName"); response = fetchResponse(request); request.deleteHeader("HeaderName"); response = fetchResponse(request); response.addheader("X-MyMarker", "I deleted HeaderName"); request.setHeader(Cookie, JSESSIONID=somevalue);

Script Manager
An alternative way of executing scripts Script structure is somewhat different See the explanation for details E.g. Intercept Request Called when a new request has been submitted by the browser use connection.getRequest() and connection.setRequest(request) to perform changes request = connection.getRequest(); request.setHeader(Cookie, JSESSIONID=somevalue); connection.setRequest(request);

Script Manager
Big difference is that you can load multiple scripts per hook Can be enabled and disabled independently

Script Manager caveat


Watch out for declaring objects with the same names in multiple scripts, though. If you use formal declarations, BeanShell will error out and tell you that the object already exists. Response response = connection.getResponse();

I hope to fix this at some stage.

BeanShell persistence
It is possible to persist values across script invocations import org.owasp.webscarab.model.*; Request r = connection.getRequest(); Integer i = bsf.lookupBean("count"); if (i == null) i = new Integer(0); if (i.intValue() %2 == 0) { // do something } i = new Integer(i.intValue()++); bsf.registerBean("count", i); connection.setRequest(r);

Scripted plugin
Intended to replace cat request | nc target 80 | grep . . . Allows for multi-threaded execution of requests (4 threads hardcoded) Object-oriented processing of results
getConversationCount() getConversationAt(int) getRequest(int) getRequest(ConversationID) getResponse(int) getResponse(ConversationID) getConversationProperty(int, String) getConversationProperty(ConversationID, String) getChildCount(String) // == an URL getChildAt(String, int) // == an URL getUrlProperty(String, String) fetchResponse(Request)

hasAsyncCapacity() submitAsyncRequest(Request) hasAsyncResponse() getAsyncResponse() isAsyncBusy()

addConversation(Response)

Scripted plugin
Complex example

You might also like