#4 Problems with WebScarab

Rogan Dawes


I want to try WebScarab with some web applications,
I've downloaded the lastest version to my computer and
it's running but I don´t know use it.

I have installed two web servers in my Pc, IIS and
Tomcat, and I need to scan three web applications, two
are running on IIS and the other, WebGoat, it`s running
on Tomcat.

The two web servers are running in different ports, How
I can analyze my web applications with this
configuration?, What are the steps to analyze web
applications with WebScarab?. The WebScarab user
guide is not good. Can anybody help me?.

Thanks, bye



  • Rogan Dawes
    Rogan Dawes

    Logged In: YES


    WebScarab is not a point and click tool. It is a supporting tool
    for someone who already understands the kinds of errors that
    a web application can have.

    The most common approach is to use webscarab as an
    intercepting proxy between your browser and your
    application. To do this, you need to configure your browser to
    use WebScarab as a proxy, rather than going directly to the
    webserver. WebScarab is running on port 8008 on localhost,
    by default.

    After navigating through the application, you should see a list
    of the conversations that have taken place, with their
    parameters, and the response status, etc.

    One approach could be to review the list of conversations to
    identify pages that accept parameters, and modify those
    parameters to see how the application reacts.

    Another approach is to use WebScarab to intercept requests
    on the fly, as you submit them in the browser, and pop up a
    window allowing you to modify any parameters that are being

    I hope this has helped. Let me know if you are still confused.

  • deuntajo

    • status: open --> closed