mr.nasty@ix.netcom.com wrote:
Thanks for the info. I had seen some of these posts and was hoping to start
something of a users discussion about WebScarab since it appears to be the only
FREE tool out there that performs web application vulnerability analysis.
I know I'm asking a lot but I think briefing like a how to say set up a fuzzer;
EXAMPLE:
After setting up the proxy and viewing a conversation, select and right click a
conversation ID. Select "Use a Fuzz Template" and click on Fuzzer.
The conversation appears.
What are some of the changes you can make to the;
1) Method
2) URL
3) Header (info)
4) Value
5) Parameters
a) Location
b) Name
c) Type
d) Value
e) Priotiy
f) *Fuzz Source
*Using the "Fuzz Source" click on "Sources" at the bottom of Parameters. This
should open a "Fuzz Sources" dialog box.
I created a .txt file using upper and lower case letters, all numbers 0-9, and
other characters one line each. I put the file in the webscarab/scripts
directory and called it ascii.txt. I browsed to the file and added the file
and received the following;
ava.lang.NullPointerException
at java.util.TreeMap.compare(Unknown Source)
at java.util.TreeMap.getEntry(Unknown Source)
at java.util.TreeMap.get(Unknown Source)
at
org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:70)
at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.setValueAt(FuzzerPanel.java:1119)
I think that you need to make sure to accept the change when setting the
Fuzz Source, possibly by pressing Enter.
The bottom left indicates "Started" with 8.18/63.56. Not exactly sure what that means.
Did you really have fractions? That is VERY weird!
But I think we could set up a presentation for just about the entire webscarab thing
for setting up or using "WebServices, Manual Requests, Spider, Extensions etc."
I'm willing to help with whatever I can do.
Thanks
I have written up a description on what the various columns are, etc.
You can find it at http://www.owasp.org/index.php/Fuzzing_with_WebScarab
I hope that this explains things a bit better.
Regards,
Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
