![Page 1: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/1.jpg)
OWASP WebScarab
Uncovering the hidden treasures
![Page 2: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/2.jpg)
Overview
• WebScarab aims to facilitate the review of web applications
• Functional operations
• Security Operations
• It was written by a techie for personal use
• Not always intuitive
• Hidden keystrokes
• Lack of examples
![Page 3: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/3.jpg)
Objectives
• Show participants how some of the less obvious features work
• Using the spider
• Request Transforms
• Using the Fuzzer
• Comparing Responses
• Searching WebScarab history
![Page 4: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/4.jpg)
Objectives
• Show participants how some of the less obvious features work
• Exploring the Beanshell
• Writing Proxy Intercept scripts
• Writing Script Manager Scripts
• Writing other scripts
![Page 5: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/5.jpg)
WebScarab Spider
![Page 6: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/6.jpg)
Huh - Shared Cookies?
![Page 7: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/7.jpg)
Request Transforms
![Page 8: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/8.jpg)
Using the Fuzzer
• You can hand craft a request, one parameter at a time
![Page 9: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/9.jpg)
Using the Fuzzer
• Or you can use an existing request as a template!
![Page 10: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/10.jpg)
Fuzzer – Parameter fields
• Location = Where the parameter can be found
• Path, Fragment do not work
• Name = Obvious
• Type = Meaningless (I can’t remember why I added it!)
• Value = default value when not being fuzzed
• Priority = drives the permutations.
• Same priority = lockstep, different = cross product
![Page 11: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/11.jpg)
Fuzzer – Fuzz sources
• From a file (1 per line)
• From a regex
![Page 12: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/12.jpg)
Fuzzer – Reviewing results
![Page 13: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/13.jpg)
Fuzzer – Reviewing results
![Page 14: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/14.jpg)
Searching in TextAreas
• Press Ctrl-F in the TextArea to show the Search Bar
• Or click in the TextArea, then click Find
![Page 15: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/15.jpg)
Searching in TextAreas
• Search string is actually a regex.
• WebScarab highlights any groups specified
• This means you need to escape regex special characters!
![Page 16: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/16.jpg)
Comparing responses
![Page 17: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/17.jpg)
Comparing responses
• You can also view the changes in a single window, rather than side by side
• Pressing Ctrl-L in the compare window. This is a toggle key.
![Page 18: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/18.jpg)
Searching history
![Page 19: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/19.jpg)
Searching history
• Search expression is a BeanShell snippet
• BeanShell is just interpreted Java, with some leniencies
• Two predefined variables, request and response
• If the expression returns true, the conversation is shown
• Exceptions are counted as “false”
• Very powerful, but not terribly friendly
![Page 20: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/20.jpg)
Request and Response API
• String getMethod()
• void setMethod(String method)
• HttpUrl getURL()
• void setURL(HttpUrl url)
• void setURL(String url) throws MalformedURLException
• String getVersion()
• void setVersion(String version)
• String getVersion()
• void setVersion(String version)
• String getStatus()
• void getStatus(String status)
• String getMessage()
• void setMessage(String message)
• String getStatusLine()
![Page 21: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/21.jpg)
Message API
• String[] getHeaderNames()
• String getHeader(String name)
• void setHeader(String name, String value)
• void addHeader(String name, String value)
• void deleteHeader(String name)
• NamedValue[] getHeaders()
• void setheaders(NamedValue[] headers)
• byte[] getContent()
• void setContent(byte[] content)
![Page 22: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/22.jpg)
Search expression examples
• response.toString().indexOf("alert") > -1
• new String(response.content).indexOf(“alert”) > -1
• request.getHeader(“Content-Type”).startsWith(“application”)
• request.getMethod().equals(“POST”)
• new String(response.content).matches("(?s).*\tat .*") // stack traces
• request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf(“secure”) == -1
![Page 23: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/23.jpg)
Exploring the BeanShell
![Page 24: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/24.jpg)
Proxy -> BeanShell
• Allows scripted modifications to proxied conversations
• Useful for things like Ajax apps, or thick clients (think timeouts!)
• Scripts must follow a very simple template:
import … <whatever classes you use>
public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response;}
![Page 25: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/25.jpg)
Proxy -> BeanShell
• Probably the most useful “general” example:
import org.owasp.webscarab.model.Request;import org.owasp.webscarab.model.Response;import org.owasp.webscarab.httpclient.HTTPClient;import java.io.IOException;import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame;public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response;}
![Page 26: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/26.jpg)
Proxy->BeanShell
• Other simple examples:
request.deleteHeader("HeaderName");response = fetchResponse(request);
request.deleteHeader("HeaderName");response = fetchResponse(request);response.addheader("X-MyMarker", "I deleted HeaderName");
request.setHeader(“Cookie”, “JSESSIONID=somevalue”);
![Page 27: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/27.jpg)
Script Manager
• An alternative way of executing scripts
• Script structure is somewhat different
• See the explanation for details
• E.g. Intercept RequestCalled when a new request has been submitted by the browseruse connection.getRequest() and connection.setRequest(request) to perform changes
request = connection.getRequest();request.setHeader(“Cookie”, “JSESSIONID=somevalue”);connection.setRequest(request);
![Page 28: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/28.jpg)
Script Manager
• Big difference is that you can load multiple scripts per hook
• Can be enabled and disabled independently
![Page 29: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/29.jpg)
Script Manager caveat
• Watch out for declaring objects with the same names in multiple scripts, though.
• If you use formal declarations, BeanShell will error out and tell you that the object already exists.
Response response = connection.getResponse();
• I hope to fix this at some stage.
![Page 30: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/30.jpg)
BeanShell persistence
• It is possible to persist values across script invocations
import org.owasp.webscarab.model.*;Request r = connection.getRequest();Integer i = bsf.lookupBean("count");if (i == null) i = new Integer(0);if (i.intValue() %2 == 0) { // do something}i = new Integer(i.intValue()++);bsf.registerBean("count", i);connection.setRequest(r);
![Page 31: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/31.jpg)
Scripted plugin
• Intended to replace “cat request | nc target 80 | grep . . . “
• Allows for multi-threaded execution of requests (4 threads hardcoded)
• Object-oriented processing of results
getConversationCount()getConversationAt(int)getRequest(int)getRequest(ConversationID)getResponse(int)getResponse(ConversationID)getConversationProperty(int, String)getConversationProperty(ConversationID, String)getChildCount(String) // == an URLgetChildAt(String, int) // == an URLgetUrlProperty(String, String)
fetchResponse(Request)
hasAsyncCapacity()submitAsyncRequest(Request)hasAsyncResponse()getAsyncResponse()isAsyncBusy()
addConversation(Response)
![Page 32: OWASP WebScarab Uncovering the hidden treasures. Overview WebScarab aims to facilitate the review of web applications Functional operations Security Operations](https://reader036.vdocument.in/reader036/viewer/2022062803/56649f3f5503460f94c5fbfe/html5/thumbnails/32.jpg)
Scripted plugin
• Complex example