Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

FW: New WebScarab release

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Wed, 19 Nov 2003 10:26:35 +0200
WebScarab can be downloaded from the OWASP project page at
http://sourceforge.net/projects/owasp

Rogan

-----Original Message-----
From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes () deloitte co za] 
Sent: 18 November 2003 09:01 AM
To: webappsec () securityfocus com
Subject: New WebScarab release


Hi all, 

This is to announce a new release of WebScarab, a Java-based HTTP proxy
which can be used to intercept and modify HTTP and HTTPS requests and
responses in arbitrary ways.

New features in this version:

* Completely reworked RequestPanel and ResponsePanel, providing support for
nearly arbitrary content-types. Currently there are Hex, Text, HTML and
SerializedObject viewers, which are invoked automatically accoring to the
Content-Type headers. There is also support for tabular editing of message
headers. Editors for application/x-www-urlencoded and multi-part forms will
be coming shortly.

* The Text editor mentioned above supports "search" functionality, accessed
via Ctrl-F.

* An interesting feature is the addition of BeanShell scripting
functionality, which allows the operator to perform completely arbitrary
processing of a request or response. This functionality is available in both
the proxy intercept windows, and the "conversation view" windows.

* SessionID sampling and analysis. This is a new plugin designed to collect
a large number of sessionIDs and graph them, so the operator can visually
see if there are any patterns. Sessionids are converted to a BigInteger, by
means of automatic per-position character set analysis (e.g. aaa, aab, aac
== 1, 2, 3 resp, since the aaa does not ever change, and consequently maps
to 0)

* intercepting many requests simultaneously should no longer result in
deadlock of the GUI.

WebScarab should hopefully also be more robust, with many nullpointer
exceptions hunted down and squashed.

As usual all feedback is welcome. Error reports help to improve WebScarab,
while "I use it in this way" helps to guide direction, and motivate me to
continue ;-) Even "WebScarab sucks because . . . " is useful information ;-)

I can usually also be reached as Gollum256 on AIM if anyone wants to chat
online about WebScarab.

Rogan
-- 
"Using encryption on the Internet is the equivalent of arranging an 
armored car to deliver credit card information from someone living 
in a cardboard box to someone living on a park bench."
  - Gene Spafford
-- 
Deloitte & Touche Security Services Group
Tel: +27(11)806-6216     Fax: +27(11)806-5202     Cell: +27(82)784-9498
-- 

Important Notice: This email is subject to important restrictions,
qualifications and disclaimers ("the Disclaimer") that must be accessed and
read by clicking here or by copying and pasting the following address into
your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The
Disclaimer is deemed to form part of the content of this email in terms of
Section 11 of the Electronic Communications and Transactions Act, 25 of
2002. If you cannot access the Disclaimer, please obtain a copy thereof from
us by sending an email to ClientServiceCentre () Deloitte co za.

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: