1 / 32

OWASP WebScarab

OWASP WebScarab. Uncovering the hidden treasures. Overview. WebScarab aims to facilitate the review of web applications Functional operations Security Operations It was written by a techie for personal use Not always intuitive Hidden keystrokes Lack of examples. Objectives.

hiroko
Télécharger la présentation

OWASP WebScarab

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP WebScarab • Uncovering the hidden treasures

  2. Overview • WebScarab aims to facilitate the review of web applications • Functional operations • Security Operations • It was written by a techie for personal use • Not always intuitive • Hidden keystrokes • Lack of examples

  3. Objectives • Show participants how some of the less obvious features work • Using the spider • Request Transforms • Using the Fuzzer • Comparing Responses • Searching WebScarab history

  4. Objectives • Show participants how some of the less obvious features work • Exploring the Beanshell • Writing Proxy Intercept scripts • Writing Script Manager Scripts • Writing other scripts

  5. WebScarab Spider

  6. Huh - Shared Cookies?

  7. Request Transforms

  8. Using the Fuzzer • You can hand craft a request, one parameter at a time

  9. Using the Fuzzer • Or you can use an existing request as a template!

  10. Fuzzer – Parameter fields • Location = Where the parameter can be found • Path, Fragment do not work • Name = Obvious • Type = Meaningless (I can’t remember why I added it!) • Value = default value when not being fuzzed • Priority = drives the permutations. • Same priority = lockstep, different = cross product

  11. Fuzzer – Fuzz sources • From a file (1 per line) • From a regex

  12. Fuzzer – Reviewing results

  13. Fuzzer – Reviewing results

  14. Searching in TextAreas • Press Ctrl-F in the TextArea to show the Search Bar • Or click in the TextArea, then click Find

  15. Searching in TextAreas • Search string is actually a regex. • WebScarab highlights any groups specified • This means you need to escape regex special characters!

  16. Comparing responses

  17. Comparing responses • You can also view the changes in a single window, rather than side by side • Pressing Ctrl-L in the compare window. This is a toggle key.

  18. Searching history

  19. Searching history • Search expression is a BeanShell snippet • BeanShell is just interpreted Java, with some leniencies • Two predefined variables, request and response • If the expression returns true, the conversation is shown • Exceptions are counted as “false” • Very powerful, but not terribly friendly

  20. String getMethod() void setMethod(String method) HttpUrl getURL() void setURL(HttpUrl url) void setURL(String url) throws MalformedURLException String getVersion() void setVersion(String version) String getVersion() void setVersion(String version) String getStatus() void getStatus(String status) String getMessage() void setMessage(String message) String getStatusLine() Request and Response API

  21. Message API • String[] getHeaderNames() • String getHeader(String name) • void setHeader(String name, String value) • void addHeader(String name, String value) • void deleteHeader(String name) • NamedValue[] getHeaders() • void setheaders(NamedValue[] headers) • byte[] getContent() • void setContent(byte[] content)

  22. Search expression examples • response.toString().indexOf("alert") > -1 • new String(response.content).indexOf(“alert”) > -1 • request.getHeader(“Content-Type”).startsWith(“application”) • request.getMethod().equals(“POST”) • new String(response.content).matches("(?s).*\tat .*") // stack traces • request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf(“secure”) == -1

  23. Exploring the BeanShell

  24. Proxy -> BeanShell • Allows scripted modifications to proxied conversations • Useful for things like Ajax apps, or thick clients (think timeouts!) • Scripts must follow a very simple template: • import … <whatever classes you use>public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { response = nextPlugin.fetchResponse(request); return response;}

  25. Proxy -> BeanShell • Probably the most useful “general” example: • import org.owasp.webscarab.model.Request;import org.owasp.webscarab.model.Response;import org.owasp.webscarab.httpclient.HTTPClient;import java.io.IOException;import org.owasp.webscarab.plugin.proxy.swing.ManualEditFrame;public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { ManualEditFrame mef = new ManualEditFrame(); if (false) request = mef.editRequest(request); response = nextPlugin.fetchResponse(request); if (false) response = mef.editResponse(request, response); return response;}

  26. Proxy->BeanShell • Other simple examples: • request.deleteHeader("HeaderName");response = fetchResponse(request); • request.deleteHeader("HeaderName");response = fetchResponse(request);response.addheader("X-MyMarker", "I deleted HeaderName"); • request.setHeader(“Cookie”, “JSESSIONID=somevalue”);

  27. Script Manager • An alternative way of executing scripts • Script structure is somewhat different • See the explanation for details • E.g. Intercept RequestCalled when a new request has been submitted by the browseruse connection.getRequest() and connection.setRequest(request) to perform changes • request = connection.getRequest();request.setHeader(“Cookie”, “JSESSIONID=somevalue”);connection.setRequest(request);

  28. Script Manager • Big difference is that you can load multiple scripts per hook • Can be enabled and disabled independently

  29. Script Manager caveat • Watch out for declaring objects with the same names in multiple scripts, though. • If you use formal declarations, BeanShell will error out and tell you that the object already exists. • Response response = connection.getResponse(); • I hope to fix this at some stage.

  30. BeanShell persistence • It is possible to persist values across script invocations • import org.owasp.webscarab.model.*;Request r = connection.getRequest();Integer i = bsf.lookupBean("count");if (i == null) i = new Integer(0);if (i.intValue() %2 == 0) { // do something}i = new Integer(i.intValue()++);bsf.registerBean("count", i);connection.setRequest(r);

  31. Scripted plugin • Intended to replace “cat request | nc target 80 | grep . . . “ • Allows for multi-threaded execution of requests (4 threads hardcoded) • Object-oriented processing of results getConversationCount()getConversationAt(int)getRequest(int)getRequest(ConversationID)getResponse(int)getResponse(ConversationID)getConversationProperty(int, String)getConversationProperty(ConversationID, String)getChildCount(String) // == an URLgetChildAt(String, int) // == an URLgetUrlProperty(String, String) fetchResponse(Request) hasAsyncCapacity()submitAsyncRequest(Request)hasAsyncResponse()getAsyncResponse()isAsyncBusy() addConversation(Response)

  32. Scripted plugin • Complex example

More Related