WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Webscarab how to?

From: mr.nasty () ix netcom com
Date: 3 Jul 2006 14:00:40 -0000
Thanks for the info.  I had seen some of these posts and was hoping to start something of a users discussion about 
WebScarab since it appears to be the only FREE tool out there that performs web application vulnerability analysis.

I know I'm asking a lot but I think briefing like a how to say set up a fuzzer;

EXAMPLE:
After setting up the proxy and viewing a conversation, select and right click a conversation ID.  Select "Use a Fuzz 
Template" and click on Fuzzer.

The conversation appears.

What are some of the changes you can make to the;
1) Method
2) URL
3) Header (info)
4) Value
5) Parameters
   a) Location
   b) Name
   c) Type
   d) Value
   e) Priotiy
   f) *Fuzz Source
      *Using the "Fuzz Source" click on "Sources" at the bottom of Parameters.  This should open a "Fuzz Sources" 
dialog box.

I created a .txt file using upper and lower case letters, all numbers 0-9, and other characters one line each.  I put 
the file in the webscarab/scripts directory and called it ascii.txt.  I browsed to the file and added the file and 
received the following;

ava.lang.NullPointerException
        at java.util.TreeMap.compare(Unknown Source)
        at java.util.TreeMap.getEntry(Unknown Source)
        at java.util.TreeMap.get(Unknown Source)
        at org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:70)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.setValueAt(FuzzerPanel.java:1119)
        at javax.swing.JTable.setValueAt(Unknown Source)
        at javax.swing.JTable.editingStopped(Unknown Source)
        at javax.swing.AbstractCellEditor.fireEditingStopped(Unknown Source)
        at javax.swing.DefaultCellEditor$EditorDelegate.stopCellEditing(Unknown Source)
        at javax.swing.DefaultCellEditor$3.stopCellEditing(Unknown Source)
        at javax.swing.DefaultCellEditor.stopCellEditing(Unknown Source)
        at javax.swing.DefaultCellEditor$EditorDelegate.actionPerformed(Unknown Source)
        at javax.swing.JComboBox.fireActionEvent(Unknown Source)
        at javax.swing.JComboBox.contentsChanged(Unknown Source)
        at javax.swing.JComboBox.intervalRemoved(Unknown Source)
        at javax.swing.AbstractListModel.fireIntervalRemoved(Unknown Source)
        at javax.swing.DefaultComboBoxModel.removeAllElements(Unknown Source)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.updateFields(FuzzerPanel.java:216)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$2500(FuzzerPanel.java:93)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$18.run(FuzzerPanel.java:953)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.runOnEDT(FuzzerPanel.java:1015)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.propertyChange(FuzzerPanel.java:956)
        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown Source)
        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown Source)
        at org.owasp.webscarab.plugin.fuzz.FuzzFactory.addSource(FuzzFactory.java:48)
        at org.owasp.webscarab.plugin.fuzz.FuzzFactory.loadFuzzStrings(FuzzFactory.java:56)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.addButtonActionPerformed(FuzzerPanel.java:791)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$1100(FuzzerPanel.java:93)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$5.actionPerformed(FuzzerPanel.java:417)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.run(Unknown Source)

The re-clicked "Source" and added the ascii.txt file again and then selected the Fuzz Source drop down menu and 
selected ascii.txt.

The bottom left indicates "Started" with 8.18/63.56.  Not exactly sure what that means.

But I think we could set up a presentation for just about the entire webscarab thing for setting up or using 
"WebServices, Manual Requests, Spider, Extensions etc."

I'm willing to help with whatever I can do.

Thanks

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: