Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

New release of WebScarab

from [Rogan Dawes] Network Security [Permanent Link]
Subject: New release of WebScarab
Date: Mon, 20 Jun 2005 17:41:09 +0200 
Hi folks,

This is to announce that a new release of WebScarab has been uploaded to
Sourceforge.

<https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823>

This is a major improvement, with 3 new plugins:

* Fuzzer (at LAST!)
* Search
* Compare

Fuzzer

The fuzzer basically allows you to throw a combination of values at a
server. It is still a little rough, but functionally, it works pretty
well. The idea is that you configure the request method, the basic URL
(without any parameters), the request version, any headers (e.g. a Host:
header if you are using HTTP/1.1, etc. Don't configure cookies here!),
and a list of Parameters.

A Parameter is defined by its location (Path, Fragment, Query, Cookie,
Body), its name (ignored for Path), type == String, Default value, Fuzz
Priority, and a fuzz source.

The default value is the value that will be submitted if no fuzz source
is defined.

The fuzz priority defines how the various fuzz sources are combined: if
all the priorities are the same value, the number of queries submitted
will be the number of items in the shortest fuzz source. If they are
different values, the number of queries generated will be the product of
the number of items in each level.

An example would be if you had a list of usernames and passwords. If
both username and password parameters had the same priority, usernames
and passwords would be consumed in lock-step. If they had different
priorities, EVERY password would be tried for each username.

Parameters are processed in order, first path, then fragment, then
query, then cookie, then body. The only content type supported for POST
Requests is application/x-www-urlencoded, it does not support multi-part
(although provision is made for parameters of different types, e.g.
File), or XML documents, etc. Multi-part and XML will be the next evolution.

Search

The search plugin allows you to execute arbitrary beanshell scripts to
identify "interesting" conversations. You are provided with the request,
response, and origin (originating plugin) of the conversation, and can
use the class methods to return a true or false value. A true value
indicates an interesting conversation that should be displayed, and a
false value indicates that the conversation should not be displayed.

An example might be something like:

response.getContent() != null && new
String(response.getContent()).matches("(?s).*[Ee](rror|xception).*")

which makes sure that the response HAS content (byte[]), before checking
to see if a String constructed from that content contains any of the
strings: Error, error, Exception, exception. The (?s) instructs the Java
Regex algorithm to perform a multi-line match, i.e. enables the period
to match a linefeed character.

BeanShell also does automatic JavaBean introspection, so in fact, the
call to response.getContent() could also be written as
"response.content", with BeanShell using the getters and setters
appropriately.

For details of the class methods available, please consult the JavaDocs
(included in the installer build) for
org.owasp.webscarab.model.(Request|Response). Origin is simply a String
matching the plugin name.

Compare

This plugin takes a "base conversation" selected from the drop down
list, tokenizes it into words, and then executes a Levenshtein Edit
Distance algorithm on the results. The Distance figure calculated is
thus the number of words which should be added/changed/removed to
transform the "base conversation" into the relevant conversation in the
table. Selecting a conversation in the table will show both responses
side by side, for visual inspection. If anyone knows of a nice
embeddable Java "diff viewer component", under the GPL or LGPL, please
let me know. Ideally, it should highlight the places that differ, which
this plugin currently does not do.

There are various other improvements, such as the ability to prevent
conversations from being added to the list, or being analysed by the
various plugins. This is implemented in the form of a Scripting Hook,
accessible via Tools -> Script Manager.

e.g: The following snippet prevents images and css resources from being
added to the conversation list.

request = conversation.getRequest();
url = request.getURL().toString();
if (url.matches("($i).*\.(gif|jpg|css)$"))
    conversation.setCancelled(true);

If you have any trouble with this new release, or any comments/feature
requests, etc, please mail the webscarab mailing list:
owasp-webscarab AT lists.sourceforge.net

Have fun with it!

Rogan

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • New release of WebScarab, Rogan Dawes <=
Previous by Date:  Should login pages be protected by SSL?, Amir Herzberg
Next by Date:  RE: one-time password (OTP) authentication, maburns
Previous by Thread:  Should login pages be protected by SSL?, Amir Herzberg
Next by Thread:  Fwd: [OWASP-Australia] UPDATED - Meeting Announcement - 21 June 05, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]