Re: Webscarab how to?

[Rogan Dawes <discard () dawes za net>]

Jezebel Ali wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greetings,
>
> This question are asked before and true is not much information
> availble.  Please first look here:
> http://seclists.org/lists/webappsec/2006/Apr-Jun/0401.html
>
> After you read, it clear that fuzzer require text file for filling
> in detail.  For this you need download jar file from link above and
> find two file "sql" and "xss".  Although not well document,
> WebScarab very comprehensive tool and I think it being rebuilt.
>
> Sorry my bad englisk.
>
> Kind regards,
> Jez

Thanks for responding, Jez.

There is one thing that I left out of the explanation that Iwrote 
previously.

By far the easiest way to fuzz a conversation (request/response pair) 
that you have already seen (i.e. is visible in the Summary), is to right 
click on the conversation in the Summary, and select "Use as fuzz 
template". Then switch to the Fuzzer, and you will see the conversation 
already loaded into the interface.

Then it is easy to select which parameters you wish to fuzz, and the 
fuzz sources that you want to use.

Hope this helps.

Rogan


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------