Documente Academic
Documente Profesional
Documente Cultură
Day job
Senior Consultant, Deloitte South Africa, ERS
Security Assessments
Security Consulting
Night job
Self-taught Java programmer
Exodus
WebScarab
Key features
Full visibility into the HTTP protocol
Also supports HTTPS (incl client certs)
Persistent audit trail can easily be reviewed
Primary uses
Security analysis
Application debugging
Hosted on Sourceforge
https://sourceforge.net/projects/owasp
Various package formats
webscarab-installer-<date>.jar
webscarab-selfcontained-<date>.jar
webscarab-src-<date>.jar
Windows IE Integration library
W32WinInet.dll
JavaHelp support
Upstream Proxies
Internet Explorer integration - “Get IE settings”
Exclusion list uses IE format
Certificates
PKCS#12 format files
Store password and key password usually identical
Server cert loaded from the .jar
MS CAPI integration coming (IE cert store)
Settings saved in properties file
${user.home}/WebScarab.properties
Shared Cookies
List of cookies seen by various plugins
Maintains history of previous cookies
Can add and delete cookies
Can be used by Manual Request and Spider plugins
Transcoder
URL {en,de}code
BASE64 {en,de}code
Hashing
Proxy beanshell
public Response fetchResponse(HTTPClient nextPlugin, Request request)
throws IOException {
// your request modifications here
response = nextPlugin.fetchResponse(request);
// your response modifications here
return response;
}
Scripted Plugin
Multiple language support via BSF
BeanShell (tested)
Javascript, Jython, Groovy, etc (untested)
Documentation in the source code
ScriptedObjectModel.java
Most useful methods
public Request getRequest(int id)
public Response fetchResponse(Request request)
public ConversationID addConversation(Response response)
Fuzzer
Search
Compare
Web Services
Description
File name and location
E.g:
new String(response.getContent()).matches("(?is).*(error|exception).*")
(?is) matches multi-line, case-insensitive