WebApp Sec mailing list archives
Re: Webscarab how to?
From: Rogan Dawes <discard () dawes za net>
Date: Tue, 04 Jul 2006 15:03:34 +0200
mr.nasty () ix netcom com wrote:
Thanks for the info. I had seen some of these posts and was hoping to start something of a users discussion about WebScarab since it appears to be the only FREE tool out there that performs web application vulnerability analysis. I know I'm asking a lot but I think briefing like a how to say set up a fuzzer; EXAMPLE: After setting up the proxy and viewing a conversation, select and right click a conversation ID. Select "Use a Fuzz Template" and click on Fuzzer. The conversation appears. What are some of the changes you can make to the; 1) Method 2) URL 3) Header (info) 4) Value 5) Parameters a) Location b) Name c) Type d) Value e) Priotiy f) *Fuzz Source *Using the "Fuzz Source" click on "Sources" at the bottom of Parameters. This should open a "Fuzz Sources" dialog box. I created a .txt file using upper and lower case letters, all numbers 0-9, and other characters one line each. I put the file in the webscarab/scripts directory and called it ascii.txt. I browsed to the file and added the file and received the following; ava.lang.NullPointerException at java.util.TreeMap.compare(Unknown Source) at java.util.TreeMap.getEntry(Unknown Source) at java.util.TreeMap.get(Unknown Source) at org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:70) at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.setValueAt(FuzzerPanel.java:1119)
I think that you need to make sure to accept the change when setting the Fuzz Source, possibly by pressing Enter.
The bottom left indicates "Started" with 8.18/63.56. Not exactly sure what that means.
Did you really have fractions? That is VERY weird!
But I think we could set up a presentation for just about the entire webscarab thing for setting up or using "WebServices, Manual Requests, Spider, Extensions etc." I'm willing to help with whatever I can do. Thanks
I have written up a description on what the various columns are, etc. You can find it at http://www.owasp.org/index.php/Fuzzing_with_WebScarab
I hope that this explains things a bit better. Regards, Rogan ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm --------------------------------------------------------------------------
Current thread:
- Re: Webscarab how to? Jezebel Ali (Jul 01)
- Re: Webscarab how to? Rogan Dawes (Jul 01)
- <Possible follow-ups>
- Re: Re: Webscarab how to? mr . nasty (Jul 03)
- Re: Webscarab how to? Rogan Dawes (Jul 04)
- RE: Re: Webscarab how to? PPowenski (Jul 04)
- Re: RE: Re: Webscarab how to? f_kenisky (Jul 08)
- Re: RE: Re: Webscarab how to? c0redump (Jul 09)
- Re: Webscarab how to? Rogan Dawes (Jul 09)