owasp webscarab l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OWASP WebScarab PowerPoint Presentation
Download Presentation
OWASP WebScarab

Loading in 2 Seconds...

play fullscreen
1 / 32

OWASP WebScarab - PowerPoint PPT Presentation


  • 344 Views
  • Uploaded on

OWASP WebScarab. Uncovering the hidden treasures. Overview. WebScarab aims to facilitate the review of web applications Functional operations Security Operations It was written by a techie for personal use Not always intuitive Hidden keystrokes Lack of examples. Objectives.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OWASP WebScarab' - hiroko


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
owasp webscarab
OWASP WebScarab
  • Uncovering the hidden treasures
overview
Overview
  • WebScarab aims to facilitate the review of web applications
    • Functional operations
    • Security Operations
  • It was written by a techie for personal use
    • Not always intuitive
    • Hidden keystrokes
    • Lack of examples
objectives
Objectives
  • Show participants how some of the less obvious features work
    • Using the spider
    • Request Transforms
    • Using the Fuzzer
    • Comparing Responses
    • Searching WebScarab history
objectives4
Objectives
  • Show participants how some of the less obvious features work
    • Exploring the Beanshell
      • Writing Proxy Intercept scripts
      • Writing Script Manager Scripts
      • Writing other scripts
using the fuzzer
Using the Fuzzer
  • You can hand craft a request, one parameter at a time
using the fuzzer9
Using the Fuzzer
  • Or you can use an existing request as a template!
fuzzer parameter fields
Fuzzer – Parameter fields
  • Location = Where the parameter can be found
    • Path, Fragment do not work
  • Name = Obvious
  • Type = Meaningless (I can’t remember why I added it!)
  • Value = default value when not being fuzzed
  • Priority = drives the permutations.
    • Same priority = lockstep, different = cross product
fuzzer fuzz sources
Fuzzer – Fuzz sources
  • From a file (1 per line)
  • From a regex
searching in textareas
Searching in TextAreas
  • Press Ctrl-F in the TextArea to show the Search Bar
  • Or click in the TextArea, then click Find
searching in textareas15
Searching in TextAreas
  • Search string is actually a regex.
  • WebScarab highlights any groups specified
  • This means you need to escape regex special characters!
comparing responses17
Comparing responses
  • You can also view the changes in a single window, rather than side by side
  • Pressing Ctrl-L in the compare window. This is a toggle key.
searching history19
Searching history
  • Search expression is a BeanShell snippet
  • BeanShell is just interpreted Java, with some leniencies
  • Two predefined variables, request and response
  • If the expression returns true, the conversation is shown
  • Exceptions are counted as “false”
  • Very powerful, but not terribly friendly
request and response api
String getMethod()

void setMethod(String method)

HttpUrl getURL()

void setURL(HttpUrl url)

void setURL(String url) throws MalformedURLException

String getVersion()

void setVersion(String version)

String getVersion()

void setVersion(String version)

String getStatus()

void getStatus(String status)

String getMessage()

void setMessage(String message)

String getStatusLine()

Request and Response API
message api
Message API
  • String[] getHeaderNames()
  • String getHeader(String name)
  • void setHeader(String name, String value)
  • void addHeader(String name, String value)
  • void deleteHeader(String name)
  • NamedValue[] getHeaders()
  • void setheaders(NamedValue[] headers)
  • byte[] getContent()
  • void setContent(byte[] content)
search expression examples
Search expression examples
  • response.toString().indexOf("alert") > -1
  • new String(response.content).indexOf(“alert”) > -1
  • request.getHeader(“Content-Type”).startsWith(“application”)
  • request.getMethod().equals(“POST”)
  • new String(response.content).matches("(?s).*\tat .*") // stack traces
  • request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf(“secure”) == -1
proxy beanshell
Proxy -> BeanShell
  • Allows scripted modifications to proxied conversations
  • Useful for things like Ajax apps, or thick clients (think timeouts!)
  • Scripts must follow a very simple template:
    • import … <whatever classes you use>public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response;}
proxy beanshell25
Proxy -> BeanShell
  • Probably the most useful “general” example:
    • import org.owasp.webscarab.model.Request;import org.owasp.webscarab.model.Response;import org.owasp.webscarab.httpclient.HTTPClient;import java.io.IOException;import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame;public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response;}
proxy beanshell26
Proxy->BeanShell
  • Other simple examples:
    • request.deleteHeader("HeaderName");response = fetchResponse(request);
    • request.deleteHeader("HeaderName");response = fetchResponse(request);response.addheader("X-MyMarker", "I deleted HeaderName");
    • request.setHeader(“Cookie”, “JSESSIONID=somevalue”);
script manager
Script Manager
  • An alternative way of executing scripts
  • Script structure is somewhat different
  • See the explanation for details
  • E.g. Intercept RequestCalled when a new request has been submitted by the browseruse connection.getRequest() and connection.setRequest(request) to perform changes
    • request = connection.getRequest();request.setHeader(“Cookie”, “JSESSIONID=somevalue”);connection.setRequest(request);
script manager28
Script Manager
  • Big difference is that you can load multiple scripts per hook
  • Can be enabled and disabled independently
script manager caveat
Script Manager caveat
  • Watch out for declaring objects with the same names in multiple scripts, though.
  • If you use formal declarations, BeanShell will error out and tell you that the object already exists.
    • Response response = connection.getResponse();
  • I hope to fix this at some stage.
beanshell persistence
BeanShell persistence
  • It is possible to persist values across script invocations
    • import org.owasp.webscarab.model.*;Request r = connection.getRequest();Integer i = bsf.lookupBean("count");if (i == null) i = new Integer(0);if (i.intValue() %2 == 0) { // do something}i = new Integer(i.intValue()++);bsf.registerBean("count", i);connection.setRequest(r);
scripted plugin
Scripted plugin
  • Intended to replace “cat request | nc target 80 | grep . . . “
  • Allows for multi-threaded execution of requests (4 threads hardcoded)
  • Object-oriented processing of results

getConversationCount()getConversationAt(int)getRequest(int)getRequest(ConversationID)getResponse(int)getResponse(ConversationID)getConversationProperty(int, String)getConversationProperty(ConversationID, String)getChildCount(String) // == an URLgetChildAt(String, int) // == an URLgetUrlProperty(String, String)

fetchResponse(Request)

hasAsyncCapacity()submitAsyncRequest(Request)hasAsyncResponse()getAsyncResponse()isAsyncBusy()

addConversation(Response)

scripted plugin32
Scripted plugin
  • Complex example