Scribd Logo
Upload

Welcome to Scribd!

  • Advanced Webscarab: The Owasp Foundation

    Uploaded by

    api-27294532
    49 views25 pages
    WebScarab is a tool for anyone involved with HTTPbased applications (e.g. Web applications) key features full visibility into the HTTP protocol Also supports HTTPS (incl client certs) Persistent audit trail can easily be reviewed Primary uses Security analysis Application debugging.

    Original Description:

    Original Title

    AppSec2005DC-Rogan_Dawes-WebScarab

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    WebScarab is a tool for anyone involved with HTTPbased applications (e.g. Web applications) key features full visibility into the HTTP protocol Also supports HTTPS (incl client certs) Persistent audit trail can easily be reviewed Primary uses Security analysis Application debugging.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    49 views25 pages

    Advanced Webscarab: The Owasp Foundation

    Uploaded by

    api-27294532
    WebScarab is a tool for anyone involved with HTTPbased applications (e.g. Web applications) key features full visibility into the HTTP protocol Also supports HTTPS (incl client certs) Persistent audit trail can easily be reviewed Primary uses Security analysis Application debugging.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Advanced WebScarab

    Rogan Dawes, WebScarab project lead


    Senior Consultant, Deloitte South Africa
    rdawes@deloitte.co.za
    +27 82 784 9498
    OWASP
    AppSec
    DC
    October 2005 Copyright © 2005 - The OWASP Foundation
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License.

    The OWASP Foundation


    http://www.owasp.org/
    Who am I?

    Day job
    Senior Consultant, Deloitte South Africa, ERS
     Security Assessments
     Security Consulting

    Night job
    Self-taught Java programmer
     Exodus
     WebScarab

    OWASP AppSec DC 2005 2


    What is WebScarab?

    A tool for anyone involved with HTTP-based


    applications (e.g. web applications)

    Key features
    Full visibility into the HTTP protocol
    Also supports HTTPS (incl client certs)
    Persistent audit trail can easily be reviewed
    Primary uses
    Security analysis
    Application debugging

    OWASP AppSec DC 2005 3


    What does WebScarab do?

    Allows user to view HTTP(S) conversations


    between browser and server
    Allows user to review those conversations
    Allows user to intercept and modify on the fly
    Allows user to replay previous requests
    Allows user to script conversations with full
    access to the the request and response object
    models
    And much more!

    OWASP AppSec DC 2005 4


    Obtaining WebScarab

    Hosted on Sourceforge
    https://sourceforge.net/projects/owasp
    Various package formats
    webscarab-installer-<date>.jar
    webscarab-selfcontained-<date>.jar
    webscarab-src-<date>.jar
    Windows IE Integration library
    W32WinInet.dll
    JavaHelp support

    OWASP AppSec DC 2005 5


    Setting up the environment

    Upstream Proxies
    Internet Explorer integration - “Get IE settings”
    Exclusion list uses IE format
    Certificates
    PKCS#12 format files
    Store password and key password usually identical
    Server cert loaded from the .jar
    MS CAPI integration coming (IE cert store)
    Settings saved in properties file
    ${user.home}/WebScarab.properties

    OWASP AppSec DC 2005 6


    Useful Tools

    Shared Cookies
    List of cookies seen by various plugins
    Maintains history of previous cookies
    Can add and delete cookies
    Can be used by Manual Request and Spider plugins

    Transcoder
    URL {en,de}code
    BASE64 {en,de}code
    Hashing

    OWASP AppSec DC 2005 7


    Conversation viewer

    Remembers size and placement


    Splitpanes allow resizing Request / Response
    Different “editors” for various Content-Type
    Hex
    Text
    Image
    HTML
    XML
    URL Encoded
    Multi-part

    OWASP AppSec DC 2005 8


    Configuring Proxy Listeners

    Listens on 127.0.0.1:8008 by default


    Supports multiple listeners if required
    “Uses plugins” optional
    Internet Explorer Integration
    Primary listener hijacks IE proxy settings on startup
    Reverse proxy support
    For hard-coded applications
    Cannot be primary!
    Network simulators
    Latency and bandwidth
    OWASP AppSec DC 2005 9
    Manual Request

    Creating from scratch


    Based on previous request via drop-down
    Automatic Content-Length adjustment
    Only if the header already exists
    Change to the “Raw” tab to get new editors
    Checks Content-Type header
    “Get Cookies” updates from “Shared Cookies”
    “Update CookieJar” adds to “Shared Cookies”

    OWASP AppSec DC 2005 10


    Session ID Analysis

    Quickly collect a large sample of cookies


    Convert String to a (BIG) number
    Default Calculator – per position character set
    Various calculation algorithms possible
    Changing calculators requires recompilation
    Table shows calculations and differences
    Graph allows visual identification of patterns

    OWASP AppSec DC 2005 11


    Session ID Analysis

    Based on previous request from drop-down


    Manual editing if necessary (e.g. HEAD vs GET)
    Choose location of Session ID, and Name
    Regex describes substring to extract
    Default regex is (.*)
    “Test” to see what is extracted
    Specify number of samples

    OWASP AppSec DC 2005 12


    Demonstration

    Collecting and graphing sessionids from


    WebGoat

    OWASP AppSec DC 2005 13


    Scripting support

    Proxy beanshell
    public Response fetchResponse(HTTPClient nextPlugin, Request request)
    throws IOException {
    // your request modifications here
    response = nextPlugin.fetchResponse(request);
    // your response modifications here
    return response;
    }

    Tools -> Script Manager


    Plugins export hooks
     Framework hook
     Proxy hooks
    OWASP AppSec DC 2005 14
    Scripting support continued

    Scripted Plugin
    Multiple language support via BSF
     BeanShell (tested)
     Javascript, Jython, Groovy, etc (untested)
    Documentation in the source code
     ScriptedObjectModel.java
    Most useful methods
    public Request getRequest(int id)
    public Response fetchResponse(Request request)
    public ConversationID addConversation(Response response)

    public void submitAsyncRequest(Request request)


    public Response getAsyncResponse()

    OWASP AppSec DC 2005 15


    Demonstration

    Brute forcing a session ID

    OWASP AppSec DC 2005 16


    New plugins

    Fuzzer

    Search

    Compare

    Web Services

    OWASP AppSec DC 2005 17


    Fuzzer

    Specify the method, URL and Version


    Add any additional headers
    Specify the parameters
    Location (Path, Fragment, Query, Cookie, Body)
    Name
    Type (only String)
    Value (used if not fuzzing this parameter)
    Priority (controls the permutation algorithm)
    Fuzz Source (a named list of fuzz strings)
    GO!
    OWASP AppSec DC 2005 18
    Creating fuzz sources

    Description
    File name and location

    Internal interface also supports programmatic


    generation of strings (e.g. length related), but
    this requires some coding

    Fuzzer is extremely stupid


    Only stops on errors (400 or exception)
    Just hit Start again if it stops
    OWASP AppSec DC 2005 19
    Demonstration

    Fuzzing for SQL injection errors

    OWASP AppSec DC 2005 20


    Search plugin

    How do we find interesting results then?


    Search plugin performs arbitrary matches
    against conversations
    Description
    Search expression

    E.g:
    new String(response.getContent()).matches("(?is).*(error|exception).*")
    (?is) matches multi-line, case-insensitive

    OWASP AppSec DC 2005 21


    Demonstration

    Finding conversations with SQL injection errors

    OWASP AppSec DC 2005 22


    Compare

    Compares the body of various responses


    Select a baseline to compare against
    Conversation list shows the “distance” from
    baseline (# words)
    Can be sorted on any (combination of ) columns

    Select a conversation to show both bodies

    OWASP AppSec DC 2005 23


    Web Services

    Identifies WSDL in conversations


    Can load from a file
    Parses WSDL
    Parses Schema (complex types!)
    Presents Services and Operations
    Constructs an Object hierarchy for editing
    Converts to SOAP message
    Invoke!
    Currently RPC/encoded only

    OWASP AppSec DC 2005 24


    Questions?

    Rogan Dawes, WebScarab project lead


    Senior Consultant, Deloitte South Africa
    rdawes@deloitte.co.za
    +27 82 784 9498
    OWASP
    AppSec
    DC
    October 2005 Copyright © 2005 - The OWASP Foundation
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License.

    The OWASP Foundation


    http://www.owasp.org/

    You might also like