New release of WebScarab

[Rogan Dawes <discard () dawes za net>]

Hi folks,

This is to announce that a new release of WebScarab has been uploaded to
Sourceforge.

<https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823>

This is a major improvement, with 3 new plugins:

* Fuzzer (at LAST!)
* Search
* Compare

Fuzzer

The fuzzer basically allows you to throw a combination of values at a
server. It is still a little rough, but functionally, it works pretty
well. The idea is that you configure the request method, the basic URL
(without any parameters), the request version, any headers (e.g. a Host:
header if you are using HTTP/1.1, etc. Don't configure cookies here!),
and a list of Parameters.

A Parameter is defined by its location (Path, Fragment, Query, Cookie,
Body), its name (ignored for Path), type == String, Default value, Fuzz
Priority, and a fuzz source.

The default value is the value that will be submitted if no fuzz source
is defined.

The fuzz priority defines how the various fuzz sources are combined: if
all the priorities are the same value, the number of queries submitted
will be the number of items in the shortest fuzz source. If they are
different values, the number of queries generated will be the product of
the number of items in each level.

An example would be if you had a list of usernames and passwords. If
both username and password parameters had the same priority, usernames
and passwords would be consumed in lock-step. If they had different
priorities, EVERY password would be tried for each username.

Parameters are processed in order, first path, then fragment, then
query, then cookie, then body. The only content type supported for POST
Requests is application/x-www-urlencoded, it does not support multi-part
(although provision is made for parameters of different types, e.g.
File), or XML documents, etc. Multi-part and XML will be the next evolution.

Search

The search plugin allows you to execute arbitrary beanshell scripts to
identify "interesting" conversations. You are provided with the request,
response, and origin (originating plugin) of the conversation, and can
use the class methods to return a true or false value. A true value
indicates an interesting conversation that should be displayed, and a
false value indicates that the conversation should not be displayed.

An example might be something like:

response.getContent() != null && new
String(response.getContent()).matches("(?s).*[Ee](rror|xception).*")

which makes sure that the response HAS content (byte[]), before checking
to see if a String constructed from that content contains any of the
strings: Error, error, Exception, exception. The (?s) instructs the Java
Regex algorithm to perform a multi-line match, i.e. enables the period
to match a linefeed character.

BeanShell also does automatic JavaBean introspection, so in fact, the
call to response.getContent() could also be written as
"response.content", with BeanShell using the getters and setters
appropriately.

For details of the class methods available, please consult the JavaDocs
(included in the installer build) for
org.owasp.webscarab.model.(Request|Response). Origin is simply a String
matching the plugin name.

Compare

This plugin takes a "base conversation" selected from the drop down
list, tokenizes it into words, and then executes a Levenshtein Edit
Distance algorithm on the results. The Distance figure calculated is
thus the number of words which should be added/changed/removed to
transform the "base conversation" into the relevant conversation in the
table. Selecting a conversation in the table will show both responses
side by side, for visual inspection. If anyone knows of a nice
embeddable Java "diff viewer component", under the GPL or LGPL, please
let me know. Ideally, it should highlight the places that differ, which
this plugin currently does not do.

There are various other improvements, such as the ability to prevent
conversations from being added to the list, or being analysed by the
various plugins. This is implemented in the form of a Scripting Hook,
accessible via Tools -> Script Manager.

e.g: The following snippet prevents images and css resources from being
added to the conversation list.

request = conversation.getRequest();
url = request.getURL().toString();
if (url.matches("($i).*\.(gif|jpg|css)$"))
    conversation.setCancelled(true);

If you have any trouble with this new release, or any comments/feature
requests, etc, please mail the webscarab mailing list:
owasp-webscarab AT lists.sourceforge.net

Have fun with it!

Rogan