Вы находитесь на странице: 1из 25

Advanced WebScarab

Rogan Dawes, WebScarab project lead


Senior Consultant, Deloitte South
Africa
rdawes@deloitte.co.za
OWAS +27 82 784 9498
P
AppSe
c
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
DC License.

October
2005 The OWASP
http://www.owasp.org/
Foundation
Who am I?

Day job
Senior Consultant, Deloitte South Africa, ERS
 Security Assessments
 Security Consulting

Night job
Self-taught Java programmer
 Exodus
 WebScarab

OWASP AppSec DC 2005 2


What is WebScarab?

A tool for anyone involved with HTTP-


based applications (e.g. web applications)

Key features
Full visibility into the HTTP protocol
Also supports HTTPS (incl client certs)
Persistent audit trail can easily be reviewed
Primary uses
Security analysis
Application debugging

OWASP AppSec DC 2005 3


What does WebScarab do?

Allows user to view HTTP(S) conversations


between browser and server
Allows user to review those conversations
Allows user to intercept and modify on the
fly
Allows user to replay previous requests
Allows user to script conversations with
full access to the the request and response
object models
And much more!
OWASP AppSec DC 2005 4
Obtaining WebScarab

Hosted on Sourceforge
https://sourceforge.net/projects/owasp
Various package formats
webscarab-installer-<date>.jar
webscarab-selfcontained-<date>.jar
webscarab-src-<date>.jar
Windows IE Integration library
W32WinInet.dll
JavaHelp support

OWASP AppSec DC 2005 5


Setting up the environment

Upstream Proxies
Internet Explorer integration - “Get IE settings”
Exclusion list uses IE format
Certificates
PKCS#12 format files
Store password and key password usually
identical
Server cert loaded from the .jar
MS CAPI integration coming (IE cert store)
Settings saved in properties file
${user.home}/WebScarab.properties
OWASP AppSec DC 2005 6
Useful Tools

Shared Cookies
List of cookies seen by various plugins
Maintains history of previous cookies
Can add and delete cookies
Can be used by Manual Request and Spider
plugins

Transcoder
URL {en,de}code
BASE64 {en,de}code
Hashing
OWASP AppSec DC 2005 7
Conversation viewer

Remembers size and placement


Splitpanes allow resizing Request / Response
Different “editors” for various Content-Type
Hex
Text
Image
HTML
XML
URL Encoded
Multi-part

OWASP AppSec DC 2005 8


Configuring Proxy Listeners

Listens on 127.0.0.1:8008 by default


Supports multiple listeners if required
“Uses plugins” optional
Internet Explorer Integration
Primary listener hijacks IE proxy settings on
startup
Reverse proxy support
For hard-coded applications
Cannot be primary!
Network simulators
Latency and bandwidth
OWASP AppSec DC 2005 9
Manual Request

Creating from scratch


Based on previous request via drop-down
Automatic Content-Length adjustment
Only if the header already exists
Change to the “Raw” tab to get new editors
Checks Content-Type header
“Get Cookies” updates from “Shared Cookies”
“Update CookieJar” adds to “Shared Cookies”

OWASP AppSec DC 2005 10


Session ID Analysis

Quickly collect a large sample of cookies


Convert String to a (BIG) number
Default Calculator – per position character
set
Various calculation algorithms possible
Changing calculators requires recompilation
Table shows calculations and differences
Graph allows visual identification of
patterns

OWASP AppSec DC 2005 11


Session ID Analysis

Based on previous request from drop-


down
Manual editing if necessary (e.g. HEAD vs
GET)
Choose location of Session ID, and Name
Regex describes substring to extract
Default regex is (.*)
“Test” to see what is extracted
Specify number of samples

OWASP AppSec DC 2005 12


Demonstration

Collecting and graphing sessionids from


WebGoat

OWASP AppSec DC 2005 13


Scripting support

Proxy beanshell
public Response fetchResponse(HTTPClient nextPlugin, Request
request)
throws IOException {
// your request modifications here
response = nextPlugin.fetchResponse(request);
// your response modifications here
return response;
}

Tools -> Script Manager


Plugins export hooks
 Framework hook
 Proxy hooks
OWASP AppSec DC 2005 14
Scripting support continued

Scripted Plugin
Multiple language support via BSF
 BeanShell (tested)
 Javascript, Jython, Groovy, etc (untested)
Documentation in the source code
 ScriptedObjectModel.java
Most useful methods
public Request getRequest(int id)
public Response fetchResponse(Request request)
public ConversationID addConversation(Response response)

public void submitAsyncRequest(Request request)


public Response getAsyncResponse()

OWASP AppSec DC 2005 15


Demonstration

Brute forcing a session ID

OWASP AppSec DC 2005 16


New plugins

Fuzzer

Search

Compare

Web Services

OWASP AppSec DC 2005 17


Fuzzer

Specify the method, URL and Version


Add any additional headers
Specify the parameters
Location (Path, Fragment, Query, Cookie, Body)
Name
Type (only String)
Value (used if not fuzzing this parameter)
Priority (controls the permutation algorithm)
Fuzz Source (a named list of fuzz strings)
GO!

OWASP AppSec DC 2005 18


Creating fuzz sources

Description
File name and location

Internal interface also supports programmatic


generation of strings (e.g. length related), but
this requires some coding

Fuzzer is extremely stupid


Only stops on errors (400 or exception)
Just hit Start again if it stops

OWASP AppSec DC 2005 19


Demonstration

Fuzzing for SQL injection errors

OWASP AppSec DC 2005 20


Search plugin

How do we find interesting results then?


Search plugin performs arbitrary matches
against conversations
Description
Search expression

E.g:
new String(response.getContent()).matches("(?is).*(error|
exception).*")
(?is) matches multi-line, case-insensitive

OWASP AppSec DC 2005 21


Demonstration

Finding conversations with SQL injection


errors

OWASP AppSec DC 2005 22


Compare

Compares the body of various responses


Select a baseline to compare against
Conversation list shows the “distance”
from baseline (# words)
Can be sorted on any (combination of )
columns

Select a conversation to show both bodies

OWASP AppSec DC 2005 23


Web Services

Identifies WSDL in conversations


Can load from a file
Parses WSDL
Parses Schema (complex types!)
Presents Services and Operations
Constructs an Object hierarchy for editing
Converts to SOAP message
Invoke!
Currently RPC/encoded only

OWASP AppSec DC 2005 24


Questions?

Rogan Dawes, WebScarab project lead


Senior Consultant, Deloitte South
Africa
rdawes@deloitte.co.za
OWAS +27 82 784 9498
P
AppSe
c
Copyright © 2005 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
DC License.

October
2005 The OWASP
http://www.owasp.org/
Foundation