Home / Browse / OWASP Source Code Center / Mail / Archive

OWASP Source Code Center

Email Archive: owasp-webscarab (read-only)

2002:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov (2)	_Dec (3)
2003:	_Jan (1)	_Feb	_Mar	_Apr	_May (6)	_Jun (9)	_Jul (4)	_Aug (2)	_Sep (1)	_Oct (1)	_Nov (5)	_Dec (1)
2004:	_Jan	_Feb	_Mar (1)	_Apr (1)	_May (12)	_Jun (7)	_Jul	_Aug (10)	_Sep (5)	_Oct (10)	_Nov (4)	_Dec (7)
2005:	_Jan (35)	_Feb (11)	_Mar (18)	_Apr (36)	_May (12)	_Jun (46)	_Jul (9)	_Aug (32)	_Sep (11)	_Oct (10)	_Nov (10)	_Dec (14)
2006:	_Jan (33)	_Feb (26)	_Mar (15)	_Apr (5)	_May	_Jun (21)	_Jul (6)	_Aug (3)	_Sep (1)	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
		1	2	3	4	5
			(2)
6	7	8	9	10	11	12
	(4)		(2)
13	14	15	16	17	18	19
	(3)	(2)
20	21	22	23	24	25	26
	(2)			(1)
27	28	29	30	31
	(1)	(1)

[OWASP-WEBSCARAB] Updates in CVS

From: <rogan@da...> - 2005-03-24 08:46

Hi folks,

There are some new changes checked into CVS at Sourceforge. 

Most notably, the SessionID plugin should work again. I had made a mistake when
refactoring, and the "setSession()" method was not being called properly due to
an incorrect prototype. Now you should be able to save and reload your
sessionids.

Additionally, the sessionid plugin now allows you to use a regular expression
when collecting sessionids. This is useful if you only want to harvest a
substring of the sessionid, excluding a constant part, for instance. The
default regex is:

(.*)

The brackets are required to indicate which portion of the regex should be used
in the sessionid. The regular expression must match the ENTIRE value part of
the cookie, from start to finish. You cannot use "AA(......)BB" to match
against a Set-Cookie header of "JSESSIONID=CCAAabcdefBBDD", because it does not
match the entire string "CCAAabcdefBBDD". You could use ".*AA(......).*",
though.

You can now also extract sessionids from the message body, by selecting the
"message body" checkbox, providing a name for the ID, and entering a regular
expression. Again, the regular expression should match the entire content
string, so prefix and suffix it with ".*". The pattern is compiled with
multi-line support and DOTALL support, so that a "." will match a CR or LF.

Also newly visible in the CVS version is VERY rough support for a fuzzer
implementation. Currently it only identifies possible applications (an URL that
has been sent parameters), and checks to see which of those URL's vary if the
parameters are removed. Future code will also provide a way of selecting a
particular "parameter signature", and fuzzing the URL based on the signature.

Finally, I have "patched" the error in Cookie handling where it receives an
attribute that it does not understand. So now unknown attributes will generate
a warning, but not an exception.

Let me know what you think.

Rogan

[OWASP-WEBSCARAB] Need examples for A2,A3

From: Ankam, Arunkumar <aankam@ro...> - 2005-03-21 13:09

Attachments: Message as HTML

Hi all,
=20
                 Can anyone provide me some examples for A2, A3.Please
reply as early as possible.
         =20
=20
=20
=20
=20
Thanks and regards
Arun kumar.
                 =20
               =20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20
=20

Re: [OWASP-WEBSCARAB] Need examples for A2,A3

From: William Stranathan <shi1wei3@gm...> - 2005-03-21 13:29

Again, there's no silver bullet for any of these.

A2.  The most typical vulnerability there is "fail open"
vulnerabilities - your access is only enforced by what's on your menu.
 So if only Administrators can add new customers, they get a link on
their menu that points to customers.jsp.  What happens when a normal
user types customers.jsp into the URL bar?

A3.  This could be any number of flaws in the login process where the
user is AUTHENTICATED.  If there's no account lockout policy, then
you're susceptible to brute-force attacks.  If there's no minimum
password requirements, brute-force is easy.  If there are "back door"
accounts and such with blank passwords or whatever, there's another
vulnerability.  If the user is given different error messages for an
invalid user vs. an invalid password, there's another vulnerability
(this could also be categorized under A7.)  If the underlying
authentication mechanism fails, does the application left everybody
in?

w

On Mon, 21 Mar 2005 18:39:25 +0530, Ankam, Arunkumar
<aankam@...> wrote:
>  
>  
>                  Can anyone provide me some examples for A2, A3.Please reply
> as early as possible. 
> 
> Arun kumar.

Re: [OWASP-WEBSCARAB] whether webscarab supports Cross site scripting,Buffer Overflows,SQLInjection,Forced Browsing

From: William Stranathan <shi1wei3@gm...> - 2005-03-15 15:06

I think there was a response on the list yesterday that began to touch
on that.  There's not a "silver bullet" for any one of the top ten to
see if the application is vulnerable to the particular exploit.

A1)  Change phone_num param to "ABCD"
A2)  Try to browse to a page you know only an administrator can access
by using a non-administrator ID.
A3)  Try to hit a protected page after deleting the SessionID cookie
A4)  change phone_num param to "<script>alert('xss');</script>"
A5)  Send 50 gillion %00's
A6)  Change phone_num parameter to "12345' OR 1 = 1;"
A7)  Any of the above could cause an error - what does the response tell you?
A8)  Browse to /password.txt or maybe /securekeys.txt
A9)  Send a 20GB file upload
A10)  Try to download /WEB-INF/web.xml

I presume that exactly none of these would work for the application
you have in mind.  You have to know the application, and why
exploiting any one of these would be valuable to do a more educated
attack.  That's the difference between a scr1pt kiddi3 and a hacker.

w

On Tue, 15 Mar 2005 18:53:51 +0530, Ankam, Arunkumar
<aankam@...> wrote:
> Hi William,
> 
>             Thanks for immediate reply.Can u provide me some examples
> for achieving all the 10 owasp points(A1 to A10) using webscarab.
> 
> 
> Thanks and regards
> Arun kumar.
> 
> -----Original Message-----
> From: William Stranathan [mailto:shi1wei3@...]
> Sent: Monday, March 14, 2005 5:33 PM
> To: Ankam, Arunkumar
> Subject: Re: [OWASP-WEBSCARAB] whether webscarab supports Cross site
> scripting,Buffer Overflows,SQLInjection,Forced Browsing
> 
> Yes - you can manipulate the request/response however you want.
> Webscarab is a MITM proxy, not an automated tool for doing any
> particular kind of attack (except for session cookie analysis).
> 
> On Mon, 14 Mar 2005 16:48:36 +0530, Ankam, Arunkumar
> <aankam@...> wrote:
> >
> >         Can anyone tell me whether webscarab supports Cross site
> scripting,
> > Buffer Overflows, SQLInjection, Forced Browsing.
> >
>

RE: [OWASP-WEBSCARAB] whether webscarab supports Cross site scripting,Buffer Overflows,SQLInjection,Forced Browsing

From: <lists@da...> - 2005-03-15 15:07

Quoting "Ankam, Arunkumar" <aankam@...>:

> Hi Rogan,
> 
>               Thanks for immediate reply.Your answers were very much
> useful to me. Can u please tell me how all the 10 owasp points (from A1
> to A10?) Can be achieved for those things which don't have form based
> input.Please Reply as early as possible.
> 
> 
> 
> Regards
> Arun kumar.
> 

Hi Arun,

A1. Send all sort of funny input to the server using WebScarab form intercepts,
manual requests, or scripting.

A2. Use the spider, the manual request and the scripting plugin to make requests
to identified resources, removing critical authentication parameters.

A3. Use the sessionid plugin to identify non-random sessionids. Replay requests
after a suitable timeout period to verify that the session does in fact
timeout.

A4. Similar to A1.

A5. Similar to A1, with long inputs.

A6. Similar to A1, focusing on apps that seem to interact with underlying
systems.

A7. Use the scripting plugin to "post-process" the observed responses to
identify any that appear to contain errors. Also look to 5xx responses in the
summary panel.

A8. Not addressed.

A9. Not addressed.

A10. Not addressed.

Rogan

P.S. Please keep traffic ON the list. That way I do not duplicate my responses,
and the other people on the list, and those searching later may find the
answers as well.


> -----Original Message-----
> From: lists@... [mailto:lists@...] 
> Sent: Tuesday, March 15, 2005 2:02 AM
> To: Jamie Finnigan
> Cc: Ankam, Arunkumar; owasp-webscarab@...
> Subject: Re: [OWASP-WEBSCARAB] whether webscarab supports Cross site
> scripting,Buffer Overflows,SQLInjection,Forced Browsing
> 
> Quoting Jamie Finnigan <jfinnigan@...>:
> 
> > Hi Arun,
> > 
> > What you have listed are a number of common web application
> > vulnerabilities.  As a proxy tool, Webscarab supports pretty much
> > anything web-application-related, allowing you to test for any of
> > these vulnerabilities.
> > 
> > Given the nature of the beast (a 'proxy' rather than an 'automated
> > application test tool' or similar) the test process is initiallly
> > manual.
> > 
> > For example, to test for buffer overflows:
> >  - install Webscarab, run it, and configure Internet Explorer (or your
> > browser of choice) to use it as the proxy
> >  - browse to a page within the application that contains the form
> > input you are testing in the browser and watch the conversation
> > happening in the log screen (under the 'Summary' tab)
> >  - turn on intercepts (under the 'Proxy' and 'Manual Edit' tabs) and
> > submit the form
> >  - review the request as that pops up in the intercepts window, and
> > manipulate input as you wish (eg. you might choose to change the value
> > for a field name 'userid' from 'arunk' to
> > '9999999999999999999999999999999999999999999'
> >  - submit the modified request and observe the results in your browser
> > and in the conversation log
> >  - repeat as considered necessary .. it's normally an interative
> > process, repeatedly testing different input values on the same input
> > field
> > 
> > A similar process will be used when testing for cross site scripting
> > and SQL injection, except with different values.  For example:
> >  - to test for cross site scripting you might replace the value of the
> > 'userid' input field 'arunk' with '<i>arunk</i>' or '<iframe
> > src=http://www.google.co.nz></iframe>'
> >  - to test for SQL injection you might replace the value of the
> > 'userid' input field 'arunk' with 'arunk" or 1=1;--' or similar.
> > 
> > Once you have defined your testing process for an application you
> > could look at automating some of the testing using the scripting
> > functionality built in to Webscarab.
> > 
> > Hope this helps...
> > 
> > Jamie
> 
> Thanks for the response, Jamie.
> 
> To add to it, maybe a bit of philosophy about WebScarab, and some idea
> of where
> it is going (i.e. what I am working on at the moment!)
> 
> The idea of WebScarab is to be a user interface to allow users to
> visualise the
> web site under review, and to interact with the website in a number of
> different ways.
> 
> One way is to let the browser generate the requests that we send to the
> site
> under review. As mentioned by Jamie, this is a nice way of exploring the
> site,
> and identifying applications, because the browser does a lot of the hard
> work
> of letting you navigate around.
> 
> Another way is to create manual requests, either by hand crafting them
> in the
> "Manual Request" plugin, or by editing and replaying a previous request
> selected from the dropdown list.
> 
> Another way is to let the Spider create requests based on the links that
> it has
> identified in the HTML responses it has seen, and that have not yet been
> visited.
> 
> The last of the current methods of interacting with the site is using
> the
> "Scripted" plugin, which allows you to programmatically create requests
> that
> are submitted to the server, and do some analysis of the responses that
> come
> back. This is really great for things like fuzzing, as you can create
> the
> requests based on a list of fuzz strings designed to generate XSS or SQL
> Injection errors. It also allows you to multi-thread the requests, so it
> can be
> a LOT faster than, say, shell and netcat. In the latest version released
> on
> Sourceforge (but not actually announced here!), I have enhanced the
> capabilities of the Scripted plugin, so that you can explore the
> existing site
> model/tree hierarchy, and build your requests automatically.
> 
> More excitingly, I am working on a new Fuzzer plugin, which
> automatically
> identifies URL's that could possibly be applications, lists the various
> permutations of parameters that the URL has received, and will provide
> some
> level of automation of submitting fuzz strings to the various
> applications that
> have been identified. It will also identify pages that contain error
> strings
> (based on regex matches, most likely), which will help to identify pages
> that
> need more manual attention.
> 
> I hope to present this new plugin at the OWASP Conference in London, so
> if
> anyone is going to be there, it will be great to put faces to names, or
> even
> names to aliases! ;-)
> 
> Regards,
> 
> Rogan
>

[OWASP-WEBSCARAB] whether webscarab supports Cross site scripting,Buffer Overflows,SQLInjection,Forced Browsing

From: Ankam, Arunkumar <aankam@ro...> - 2005-03-14 11:18

Attachments: Message as HTML

Hi,
=20
        Can anyone tell me whether webscarab supports Cross site
scripting, Buffer Overflows, SQLInjection, Forced Browsing.
=20
=20
=20
  Thanks and regards
   Arun kumar.
=20
=20
=20

Re: [OWASP-WEBSCARAB] whether webscarab supports Cross site scripting,Buffer Overflows,SQLInjection,Forced Browsing

From: Jamie Finnigan <jfinnigan@gm...> - 2005-03-14 19:47

Hi Arun,

What you have listed are a number of common web application
vulnerabilities.  As a proxy tool, Webscarab supports pretty much
anything web-application-related, allowing you to test for any of
these vulnerabilities.

Given the nature of the beast (a 'proxy' rather than an 'automated
application test tool' or similar) the test process is initiallly
manual.

For example, to test for buffer overflows:
 - install Webscarab, run it, and configure Internet Explorer (or your
browser of choice) to use it as the proxy
 - browse to a page within the application that contains the form
input you are testing in the browser and watch the conversation
happening in the log screen (under the 'Summary' tab)
 - turn on intercepts (under the 'Proxy' and 'Manual Edit' tabs) and
submit the form
 - review the request as that pops up in the intercepts window, and
manipulate input as you wish (eg. you might choose to change the value
for a field name 'userid' from 'arunk' to
'9999999999999999999999999999999999999999999'
 - submit the modified request and observe the results in your browser
and in the conversation log
 - repeat as considered necessary .. it's normally an interative
process, repeatedly testing different input values on the same input
field

A similar process will be used when testing for cross site scripting
and SQL injection, except with different values.  For example:
 - to test for cross site scripting you might replace the value of the
'userid' input field 'arunk' with '<i>arunk</i>' or '<iframe
src=http://www.google.co.nz></iframe>'
 - to test for SQL injection you might replace the value of the
'userid' input field 'arunk' with 'arunk" or 1=1;--' or similar.

Once you have defined your testing process for an application you
could look at automating some of the testing using the scripting
functionality built in to Webscarab.

Hope this helps...

Jamie


On Mon, 14 Mar 2005 16:48:36 +0530, Ankam, Arunkumar
<aankam@...> wrote:
> 
> 
> Hi,
> 
>  
> 
>         Can anyone tell me whether webscarab supports Cross site scripting,
> Buffer Overflows, SQLInjection, Forced Browsing.
> 
>  
> 
>  
> 
>  
> 
>   Thanks and regards
> 
>    Arun kumar.
> 
>  
> 
>  
> 
>

Re: [OWASP-WEBSCARAB] whether webscarab supports Cross site scripting,Buffer Overflows,SQLInjection,Forced Browsing

From: <lists@da...> - 2005-03-14 20:32

Quoting Jamie Finnigan <jfinnigan@...>:

> Hi Arun,
> 
> What you have listed are a number of common web application
> vulnerabilities.  As a proxy tool, Webscarab supports pretty much
> anything web-application-related, allowing you to test for any of
> these vulnerabilities.
> 
> Given the nature of the beast (a 'proxy' rather than an 'automated
> application test tool' or similar) the test process is initiallly
> manual.
> 
> For example, to test for buffer overflows:
>  - install Webscarab, run it, and configure Internet Explorer (or your
> browser of choice) to use it as the proxy
>  - browse to a page within the application that contains the form
> input you are testing in the browser and watch the conversation
> happening in the log screen (under the 'Summary' tab)
>  - turn on intercepts (under the 'Proxy' and 'Manual Edit' tabs) and
> submit the form
>  - review the request as that pops up in the intercepts window, and
> manipulate input as you wish (eg. you might choose to change the value
> for a field name 'userid' from 'arunk' to
> '9999999999999999999999999999999999999999999'
>  - submit the modified request and observe the results in your browser
> and in the conversation log
>  - repeat as considered necessary .. it's normally an interative
> process, repeatedly testing different input values on the same input
> field
> 
> A similar process will be used when testing for cross site scripting
> and SQL injection, except with different values.  For example:
>  - to test for cross site scripting you might replace the value of the
> 'userid' input field 'arunk' with '<i>arunk</i>' or '<iframe
> src=http://www.google.co.nz></iframe>'
>  - to test for SQL injection you might replace the value of the
> 'userid' input field 'arunk' with 'arunk" or 1=1;--' or similar.
> 
> Once you have defined your testing process for an application you
> could look at automating some of the testing using the scripting
> functionality built in to Webscarab.
> 
> Hope this helps...
> 
> Jamie

Thanks for the response, Jamie.

To add to it, maybe a bit of philosophy about WebScarab, and some idea of where
it is going (i.e. what I am working on at the moment!)

The idea of WebScarab is to be a user interface to allow users to visualise the
web site under review, and to interact with the website in a number of
different ways.

One way is to let the browser generate the requests that we send to the site
under review. As mentioned by Jamie, this is a nice way of exploring the site,
and identifying applications, because the browser does a lot of the hard work
of letting you navigate around.

Another way is to create manual requests, either by hand crafting them in the
"Manual Request" plugin, or by editing and replaying a previous request
selected from the dropdown list.

Another way is to let the Spider create requests based on the links that it has
identified in the HTML responses it has seen, and that have not yet been
visited.

The last of the current methods of interacting with the site is using the
"Scripted" plugin, which allows you to programmatically create requests that
are submitted to the server, and do some analysis of the responses that come
back. This is really great for things like fuzzing, as you can create the
requests based on a list of fuzz strings designed to generate XSS or SQL
Injection errors. It also allows you to multi-thread the requests, so it can be
a LOT faster than, say, shell and netcat. In the latest version released on
Sourceforge (but not actually announced here!), I have enhanced the
capabilities of the Scripted plugin, so that you can explore the existing site
model/tree hierarchy, and build your requests automatically.

More excitingly, I am working on a new Fuzzer plugin, which automatically
identifies URL's that could possibly be applications, lists the various
permutations of parameters that the URL has received, and will provide some
level of automation of submitting fuzz strings to the various applications that
have been identified. It will also identify pages that contain error strings
(based on regex matches, most likely), which will help to identify pages that
need more manual attention.

I hope to present this new plugin at the OWASP Conference in London, so if
anyone is going to be there, it will be great to put faces to names, or even
names to aliases! ;-)

Regards,

Rogan

WG: [OWASP-WEBSCARAB] ColumnDataModel

From: Breitbach, Thomas <Thomas.Breitbach@t-...> - 2005-03-09 11:50

Hi,

Rogan, thanks for the detailed explanation on this. I'll try myself, =
when I
have some days off next week.

Two general questions to all on the list:

- Using the newest version 2005-0222-2220 if am facing errors during =
session
id analysis.
A session id here in the cookie (e.g.
PHPSESSID=3D1d69ec9d6617d91ef3ce5c73142d32e8) is not collected, so that =
I can
see it in the scrollbar of the analysis section. This worked before  =
...
Anybody else facing this problem?

- in another case the cookie is more complicated
JSESSIONID=3DHello12345.12345643413412414EndHello
  The real session id starts after the "dot" and ends before =
"EndHello".
  Any idea how I can analyze this directly without scripting?
  As far as I understand the regex in session-id->collection this only
applies to the text
  An example for this would be helpful.

Thanks
Thomas




> -----Urspr=FCngliche Nachricht-----
>Von: Rogan Dawes [mailto:discard@...
>Gesendet: Montag, 7. M=E4rz 2005 18:50
>An: OWASP WebScarab
>Betreff: [OWASP-WEBSCARAB] ColumnDataModel


>Here is a snippet from the existing SummaryTableModel showing how easy =

>it is to add your own columns to the table:

>ColumnDataModel cdm =3D new ColumnDataModel() {
     public Object getValue(Object key) {
        if (_model =3D=3D null) return null;
        ConversationID id =3D (ConversationID) key;
        return _model.getConversationProperty(id, "METHOD");
     }
     public String getColumnName() { return "Method"; }
     public Class getColumnClass() { return String.class; }
>};
>_conversationTableModel.addColumn(cdm);

>That shows the METHOD that was used in the request.

>You would probably want to do something like:

>String ts =3D _model.getConversationProperty(id, "TIMESTAMP"); long =
time =3D
Long.parseLong(ts); return new Date(time);

>and make getColumnClass() return Date.class

>Pretty simple, really.

>Rogan
--=20
Rogan Dawes

*ALL* messages to discard@... will be dropped, and added to my
blacklist. Please respond to "lists AT dawes DOT za DOT net"


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real =
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
_______________________________________________
Owasp-webscarab mailing list Owasp-webscarab@...
https://lists.sourceforge.net/lists/listinfo/owasp-webscarab

[OWASP-WEBSCARAB] Re: WebScrarab error

From: Rogan Dawes <rogan@da...> - 2005-03-09 08:58

Patrick Pitchappa wrote:
> Hi Rogan,
> 
> My name is Patrick Pitchappa and I am trying to use your WebScarab
> application version 20050222-2220. I keep getting an error which says:
> 
> IOException Retrieving the response: java.net.ConnectException:
> Connection Refused: connect
> 
> What am I doing wrong here? Please let me know what may be causing this error. 
> 
> Thanks,
> Patrick.

Hi Patrick,

It seems to me that either you have an upstream proxy configured, that 
is not listening, or that the web server that you are trying to contact 
is not listening.

Please make sure that your URL is correct, and that any upstream proxy 
settings are correct.

Rogan

[OWASP-WEBSCARAB] Re: Bug in latest build

From: Rogan Dawes <lists@da...> - 2005-03-07 18:44

Jesse Burns wrote:
> Hey Rogan,
> So I have developed some scripts in bean shell, and I have found that
> proguard is removing methods that are part of the model (like
> Message.getHeaderNames()) but not used by the application. The lack of
> these methods is confusing (to see that they are gone I had to
> disassemble the jar file, and in custom - non-proguard builds they work
> fine). You may wish to tone down the use of proguard for model objects,
> or other things bean scripters may wish to call. Personally I don't see
> why the size reduction is important - but I am not paying the bandwidth
> charges for downloads.
> 
> Thanks,
> Jesse

Hi Jesse,

thanks for the bug report.

In fact, I was just using ProGuard to identify unused classes, because 
it reads from a large number of library jars.

But I will change the proguard configuration to not remove methods of 
classes that are used.

What kind of scripts are you writing? Do you need any more functionality 
in WebScarab itself to support them?

For what it is worth, you can also call the ManualEditFrame 
editRequest(Request) and editResponse(Request, Response) methods from 
your script, if you want to. They should be thread safe, and block and 
unblock appropriately.

Rogan
-- 
Rogan Dawes

*ALL* messages to discard@... will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[OWASP-WEBSCARAB] ColumnDataModel

From: Rogan Dawes <discard@da...> - 2005-03-07 17:50

Here is a snippet from the existing SummaryTableModel showing how easy 
it is to add your own columns to the table:

ColumnDataModel cdm = new ColumnDataModel() {
     public Object getValue(Object key) {
        if (_model == null) return null;
        ConversationID id = (ConversationID) key;
        return _model.getConversationProperty(id, "METHOD");
     }
     public String getColumnName() { return "Method"; }
     public Class getColumnClass() { return String.class; }
};
_conversationTableModel.addColumn(cdm);

That shows the METHOD that was used in the request.

You would probably want to do something like:

String ts = _model.getConversationProperty(id, "TIMESTAMP");
long time = Long.parseLong(ts);
return new Date(time);

and make getColumnClass() return Date.class

Pretty simple, really.

Rogan
-- 
Rogan Dawes

*ALL* messages to discard@... will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[OWASP-WEBSCARAB] WebScarab / TimeStamp

From: Breitbach, Thomas <Thomas.Breitbach@t-...> - 2005-03-07 17:21

Attachments: Message as HTML

Hi folks, hi Rogan,

I am actually using the newest version of scarab for some security checks.
One of these checks on the portal is to test the session timeout mechanism.

For this it would be nice to have a time stamp in the summary window as well
as the single conversation window.
Of course this time stamp must be based on client- (that means scarab) time.

What do you all think about a time stamp? 
Rogan: Is it possible to include this in an upcoming version?

Thomas

----------------------------------------------------
T-Mobile Deutschland GmbH
Dr. Thomas Breitbach, Product Security
Landgrabenweg 151, D-53227 Bonn, Germany
Phone +49 228 936 33315   Fax +49 228 936 33309
Email: thomas.breitbach@...
Internet: http://www.t-mobile.de <www.t-mobile.de> , http://www.t-mobile.com
<www.t-mobile.com> 
-------------------------------------------------------

Re: [OWASP-WEBSCARAB] WebScarab / TimeStamp

From: Rogan Dawes <discard@da...> - 2005-03-07 17:43

Breitbach, Thomas wrote:
> 
> 
> Hi folks, hi Rogan,
> 
> I am actually using the newest version of scarab for some security checks.
> One of these checks on the portal is to test the session timeout mechanism.
> 
> For this it would be nice to have a time stamp in the summary window as 
> well as the single conversation window.
> Of course this time stamp must be based on client- (that means scarab) 
> time.
> 
> What do you all think about a time stamp?
> Rogan: Is it possible to include this in an upcoming version?
> 
> Thomas

Well, of course, there is nothing preventing you from doing this.

Probably the easiest way would be to timestamp it when the conversation 
is added to the Framework, as a simple property of the conversation.

ConversationID id = _model.addConversation(request, response, origin);
_model.setConversationProperty(id, "TIMESTAMP",
     Long.asString(new Date().getTime()));

Then, in the SummaryPanel, create a new ColumnDataModel that uses this 
property to provide its values.

It would probably only be about 30-40 lines of code, if you are 
interested in implementing it.

Places to look:

org.owasp.webscarab.plugin.Framework (central place for conversations to 
be added to the model - implement the two lines given above in 
addConversation() )

org.owasp.webscarab.ui.swing.SummaryPanel - create a subclass of 
org.owasp.webscarab.util.swing.ColumnDataModel to show the Date. get the 
conversationProperty from the model, convert it from a String to a Long 
to a long to a Date ;-).

Optionally provide a Date renderer to format the date in a pretty format

You should simply be able to copy one of the existing subclasses of 
ColumnDataModel existing in SummaryPanel.

Good luck. Let me know if you have any questions.

Regards,

Rogan

P.S. if this is too complicated for you, I will probably implement this 
in a future version anyway, but I'd appreciate your contribution.

P.P.S. There are three ways of getting the source for WebScarab.
1. Download the installer.
2. Download the src.zip.
3. Check it out from the CVS tree.
-- 
Rogan Dawes

*ALL* messages to discard@... will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Re: [OWASP-WEBSCARAB] Comments on latest release of WebScarab?

From: Jamie Finnigan <jfinnigan@gm...> - 2005-03-02 00:07

Hi Rogan and all,

I've just installed and briefly used the latest release.  First
impression is that it seems to be performing better than prior
versions?  I used to have issues with the proxy freezing after a
number of sessions were processed.  This may also be due to upgrading
the JRE I'm using.

I can't see the IE integration working on my Windows XP / IE6
installation .. doesn't seem to pickup existing proxy settings, or to
change the proxy to point to Webscarab instance.  Is this the
behaviour I should be seeing?  Haven't had a chance to look at the
source yet, will do that at some stage.

My favorite change would have to be 'Cancel all edits' button,
followed closely by the ctrl-w wordwrap toggle on TextAreas ... it's
the little things. :)  Any chance of including a search function on
the raw intercept boxes?  Maybe implemented in a similar manner to the
Firefox search function (small text box at bottom of page)?

Have got a web application review coming up in the near future so will
get some heavy usage out of it then, and look at the scripting
functionality.

Something Rogan has asked the list before that I haven't seen much of
a response to is the areas that people are using Webscarab in?  I'm a
security consultant with Deloitte, so use it primarily for the testing
of web applications for a range of clients.  I also do some
development work (PHP primarily) in my spare time which I use
Webscarab for performing debugging work in.  Anyone else?

Thanks for the work you put into this Rogan, much appreciated. :)

Jamie

On Mon, 28 Feb 2005 09:32:39 -0600, lists@...
<lists@...> wrote:
> Hi folks,
> 
> Any comments on the latest 0222-2220 release of Webscarab? Has anyone tried it?
> 
> Did the IE integration work for you? What do you think of the new Scripted
> plugin?
> 
> Am I wasting my time here?
> 
> Rogan
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Owasp-webscarab mailing list
> Owasp-webscarab@...
> https://lists.sourceforge.net/lists/listinfo/owasp-webscarab
>

Re: [OWASP-WEBSCARAB] Comments on latest release of WebScarab?

From: <lists@da...> - 2005-03-02 07:30

Quoting Jamie Finnigan <jfinnigan@...>:

> Hi Rogan and all,
> 
> I've just installed and briefly used the latest release.  First
> impression is that it seems to be performing better than prior
> versions?  I used to have issues with the proxy freezing after a
> number of sessions were processed.  This may also be due to upgrading
> the JRE I'm using.
> 
> I can't see the IE integration working on my Windows XP / IE6
> installation .. doesn't seem to pickup existing proxy settings, or to
> change the proxy to point to Webscarab instance.  Is this the
> behaviour I should be seeing?  Haven't had a chance to look at the
> source yet, will do that at some stage.

As mentioned on the list during the design stage, there are two aspects to the
WinInet integration. The first is getting the current proxy settings from IE,
the second is changing the proxy settings to point to WebScarab.

The first is accomplished manually at this stage, by going to Tools->Proxy, and
selecting the Get IE Settings button. If you are not seeing this button (e.g.
if you downloaded the self-contained jar), you need to get the W32WinInet.dll
from sourceforge, and put it in the same directory as the jar file. If it is
recognised, you should then get the button on the Tools->Proxy dialog, and if
you press it, it should copy the current settings into the text boxes.

The second option is accomplished by setting the "primary" flag under the proxy
tab, where you define the various proxies that are listening. Most likely you
will have to stop the current proxy, tick the "primary" checkbox, and start it
again. It will then set WinInet to point to it when it is started, and set the
previous values when it is stopped.

> My favorite change would have to be 'Cancel all edits' button,
> followed closely by the ctrl-w wordwrap toggle on TextAreas ... it's
> the little things. :)  Any chance of including a search function on
> the raw intercept boxes?  Maybe implemented in a similar manner to the
> Firefox search function (small text box at bottom of page)?

Well, ask, and ye shall receive! :-) 

Try Ctrl-F and Ctrl-G in the text boxes, which provide a search dialog, and
"search again" functionality respectively.

> 
> Have got a web application review coming up in the near future so will
> get some heavy usage out of it then, and look at the scripting
> functionality.
> 
> Something Rogan has asked the list before that I haven't seen much of
> a response to is the areas that people are using Webscarab in?  I'm a
> security consultant with Deloitte, so use it primarily for the testing
> of web applications for a range of clients.  I also do some
> development work (PHP primarily) in my spare time which I use
> Webscarab for performing debugging work in.  Anyone else?
> 
> Thanks for the work you put into this Rogan, much appreciated. :)

Thanks for your feedback, Jamie. It helps to know that people are actually using
WebScarab and how they are using it. It lets me know how to develop it further.

For the rest of the people on the list who don't know me, I am actually also a
security consultant for Deloitte, currently based in the Czech Republic, but
originally from South Africa. Much like Jamie, I use WebScarab for performing
security audits for clients ranging from financial institutions to insurance
companies.

Regards,

Rogan