WebApp Sec mailing list archives

Re: Webscarab how to?

From: Rogan Dawes <discard () dawes za net>
Date: Tue, 04 Jul 2006 15:03:34 +0200

mr.nasty () ix netcom com wrote:

Thanks for the info.  I had seen some of these posts and was hoping to start something of a users discussion about 
WebScarab since it appears to be the only FREE tool out there that performs web application vulnerability analysis.

I know I'm asking a lot but I think briefing like a how to say set up a fuzzer;

EXAMPLE:
After setting up the proxy and viewing a conversation, select and right click a conversation ID.  Select "Use a Fuzz 
Template" and click on Fuzzer.

The conversation appears.

What are some of the changes you can make to the;
1) Method
2) URL
3) Header (info)
4) Value
5) Parameters
   a) Location
   b) Name
   c) Type
   d) Value
   e) Priotiy
   f) *Fuzz Source
      *Using the "Fuzz Source" click on "Sources" at the bottom of Parameters.  This should open a "Fuzz Sources" 
dialog box.

I created a .txt file using upper and lower case letters, all numbers 0-9, and other characters one line each.  I put 
the file in the webscarab/scripts directory and called it ascii.txt.  I browsed to the file and added the file and 
received the following;

ava.lang.NullPointerException
        at java.util.TreeMap.compare(Unknown Source)
        at java.util.TreeMap.getEntry(Unknown Source)
        at java.util.TreeMap.get(Unknown Source)
        at org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:70)
        at org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.setValueAt(FuzzerPanel.java:1119)

I think that you need to make sure to accept the change when setting theFuzz Source, possibly by pressing Enter.


The bottom left indicates "Started" with 8.18/63.56.  Not exactly sure what that means.


Did you really have fractions? That is VERY weird!


But I think we could set up a presentation for just about the entire webscarab thing for setting up or using "WebServices, 
Manual Requests, Spider, Extensions etc."

I'm willing to help with whatever I can do.

Thanks

I have written up a description on what the various columns are, etc.You can find it at http://www.owasp.org/index.php/Fuzzing_with_WebScarab


I hope that this explains things a bit better.

Regards,

Rogan

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application usingmanual processes, or by using automated systems and tools. Watchfire's"Web Application Security: Automated Scanning or Manual PenetrationTesting?" whitepaper examines a few vulnerability detection methods -specifically comparing and contrasting manual penetration testing withautomated scanning tools. Download it today!


https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------

Current thread:

Re: Webscarab how to? Jezebel Ali (Jul 01)
- Re: Webscarab how to? Rogan Dawes (Jul 01)
- <Possible follow-ups>
- Re: Re: Webscarab how to? mr . nasty (Jul 03)
  - Re: Webscarab how to? Rogan Dawes (Jul 04)
- RE: Re: Webscarab how to? PPowenski (Jul 04)
- Re: RE: Re: Webscarab how to? f_kenisky (Jul 08)
  - Re: RE: Re: Webscarab how to? c0redump (Jul 09)
  - Re: Webscarab how to? Rogan Dawes (Jul 09)