Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Webscarab how to?

from [mr . nasty] Network Security [Permanent Link]
Subject: Re: Re: Webscarab how to?
Date: 3 Jul 2006 14:00:40 -0000 
Thanks for the info.  I had seen some of these posts and was hoping to start 
something of a users discussion about WebScarab since it appears to be the only 
FREE tool out there that performs web application vulnerability analysis.

I know I'm asking a lot but I think briefing like a how to say set up a fuzzer;

EXAMPLE:
After setting up the proxy and viewing a conversation, select and right click a 
conversation ID.  Select "Use a Fuzz Template" and click on Fuzzer.

The conversation appears.

What are some of the changes you can make to the;
1) Method
2) URL
3) Header (info)
4) Value
5) Parameters
   a) Location
   b) Name
   c) Type
   d) Value
   e) Priotiy
   f) *Fuzz Source
      *Using the "Fuzz Source" click on "Sources" at the bottom of Parameters.  
This should open a "Fuzz Sources" dialog box.

I created a .txt file using upper and lower case letters, all numbers 0-9, and 
other characters one line each.  I put the file in the webscarab/scripts 
directory and called it ascii.txt.  I browsed to the file and added the file 
and received the following;

ava.lang.NullPointerException
        at java.util.TreeMap.compare(Unknown Source)
        at java.util.TreeMap.getEntry(Unknown Source)
        at java.util.TreeMap.get(Unknown Source)
        at 
org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:70)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.setValueAt(FuzzerPanel.java:1119)
        at javax.swing.JTable.setValueAt(Unknown Source)
        at javax.swing.JTable.editingStopped(Unknown Source)
        at javax.swing.AbstractCellEditor.fireEditingStopped(Unknown Source)
        at javax.swing.DefaultCellEditor$EditorDelegate.stopCellEditing(Unknown 
Source)
        at javax.swing.DefaultCellEditor$3.stopCellEditing(Unknown Source)
        at javax.swing.DefaultCellEditor.stopCellEditing(Unknown Source)
        at javax.swing.DefaultCellEditor$EditorDelegate.actionPerformed(Unknown 
Source)
        at javax.swing.JComboBox.fireActionEvent(Unknown Source)
        at javax.swing.JComboBox.contentsChanged(Unknown Source)
        at javax.swing.JComboBox.intervalRemoved(Unknown Source)
        at javax.swing.AbstractListModel.fireIntervalRemoved(Unknown Source)
        at javax.swing.DefaultComboBoxModel.removeAllElements(Unknown Source)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.updateFields(FuzzerPanel.java:216)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$2500(FuzzerPanel.java:93)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$18.run(FuzzerPanel.java:953)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.runOnEDT(FuzzerPanel.java:1015)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.propertyChange(FuzzerPanel.java:956)
        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown Source)
        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown Source)
        at 
org.owasp.webscarab.plugin.fuzz.FuzzFactory.addSource(FuzzFactory.java:48)
        at 
org.owasp.webscarab.plugin.fuzz.FuzzFactory.loadFuzzStrings(FuzzFactory.java:56)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.addButtonActionPerformed(FuzzerPanel.java:791)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$1100(FuzzerPanel.java:93)
        at 
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$5.actionPerformed(FuzzerPanel.java:417)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown 
Source)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.run(Unknown Source)

The re-clicked "Source" and added the ascii.txt file again and then selected 
the Fuzz Source drop down menu and selected ascii.txt.

The bottom left indicates "Started" with 8.18/63.56.  Not exactly sure what 
that means.

But I think we could set up a presentation for just about the entire webscarab 
thing for setting up or using "WebServices, Manual Requests, Spider, Extensions 
etc."

I'm willing to help with whatever I can do.

Thanks

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Two-Factor Authentication on the Web, Andrew van der Stock
Next by Date:  RE: Two-Factor Authentication on the Web, Lyal Collins
Previous by Thread:  Re: Webscarab how to?, Rogan Dawes
Next by Thread:  Re: Webscarab how to?, Rogan Dawes
Indexes:  [Date] [Thread] [Top] [All Lists]