WebApp Sec mailing list archives
New release of WebScarab
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 20 Jun 2005 17:41:09 +0200
Hi folks, This is to announce that a new release of WebScarab has been uploaded to Sourceforge. <https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823> This is a major improvement, with 3 new plugins: * Fuzzer (at LAST!) * Search * Compare Fuzzer The fuzzer basically allows you to throw a combination of values at a server. It is still a little rough, but functionally, it works pretty well. The idea is that you configure the request method, the basic URL (without any parameters), the request version, any headers (e.g. a Host: header if you are using HTTP/1.1, etc. Don't configure cookies here!), and a list of Parameters. A Parameter is defined by its location (Path, Fragment, Query, Cookie, Body), its name (ignored for Path), type == String, Default value, Fuzz Priority, and a fuzz source. The default value is the value that will be submitted if no fuzz source is defined. The fuzz priority defines how the various fuzz sources are combined: if all the priorities are the same value, the number of queries submitted will be the number of items in the shortest fuzz source. If they are different values, the number of queries generated will be the product of the number of items in each level. An example would be if you had a list of usernames and passwords. If both username and password parameters had the same priority, usernames and passwords would be consumed in lock-step. If they had different priorities, EVERY password would be tried for each username. Parameters are processed in order, first path, then fragment, then query, then cookie, then body. The only content type supported for POST Requests is application/x-www-urlencoded, it does not support multi-part (although provision is made for parameters of different types, e.g. File), or XML documents, etc. Multi-part and XML will be the next evolution. Search The search plugin allows you to execute arbitrary beanshell scripts to identify "interesting" conversations. You are provided with the request, response, and origin (originating plugin) of the conversation, and can use the class methods to return a true or false value. A true value indicates an interesting conversation that should be displayed, and a false value indicates that the conversation should not be displayed. An example might be something like: response.getContent() != null && new String(response.getContent()).matches("(?s).*[Ee](rror|xception).*") which makes sure that the response HAS content (byte[]), before checking to see if a String constructed from that content contains any of the strings: Error, error, Exception, exception. The (?s) instructs the Java Regex algorithm to perform a multi-line match, i.e. enables the period to match a linefeed character. BeanShell also does automatic JavaBean introspection, so in fact, the call to response.getContent() could also be written as "response.content", with BeanShell using the getters and setters appropriately. For details of the class methods available, please consult the JavaDocs (included in the installer build) for org.owasp.webscarab.model.(Request|Response). Origin is simply a String matching the plugin name. Compare This plugin takes a "base conversation" selected from the drop down list, tokenizes it into words, and then executes a Levenshtein Edit Distance algorithm on the results. The Distance figure calculated is thus the number of words which should be added/changed/removed to transform the "base conversation" into the relevant conversation in the table. Selecting a conversation in the table will show both responses side by side, for visual inspection. If anyone knows of a nice embeddable Java "diff viewer component", under the GPL or LGPL, please let me know. Ideally, it should highlight the places that differ, which this plugin currently does not do. There are various other improvements, such as the ability to prevent conversations from being added to the list, or being analysed by the various plugins. This is implemented in the form of a Scripting Hook, accessible via Tools -> Script Manager. e.g: The following snippet prevents images and css resources from being added to the conversation list. request = conversation.getRequest(); url = request.getURL().toString(); if (url.matches("($i).*\.(gif|jpg|css)$")) conversation.setCancelled(true); If you have any trouble with this new release, or any comments/feature requests, etc, please mail the webscarab mailing list: owasp-webscarab AT lists.sourceforge.net Have fun with it! Rogan
Current thread:
- New release of WebScarab Rogan Dawes (Jun 20)