I have finally gotten around to posting a video tutorial of Webscarab. This tutorial merely covers the basics on Webscarab and is a mirror reflection of my written tutorial, Webscarab Tutorial Part 1 (learning the basics). I plan on continuing this video series as I did with my written tutorials. I have always been a fan of video tutorials because they cut right to the chase and show the exact steps how something is performed. I have always frequented the videos on Iron Geek and Milw0rm which have been great resources as well. Don’t forget to maximize the video in the bottom right hand corner of the player, otherwise the video is pointless because you wouldn’t be able to see anything.
The video seems to have some background noise from the audio recording, if anyone has a suggestion for making a better recording I’m all ears. I recorded the screen cast with CamStudio but I also tried Record My Desktop in Linux. I wanted to use Record My Desktop but it was even worse. It could have been my cheap Logitech microphone that was the root cause of the problem? Please post feedback and let me know if these videos are useful, your feedback will determine what content I post in the future.
Part 2 covered the neat functionality of session ID analysis within Webscarab. Now we’ll focus on another great function within Webscarab, fuzzing. I define fuzzing as testing the input of an application by trying various parameters that the input may not expect. These parameters don’t have to be random, in my opinion it’s best when you tailor your parameters depending on the application. When fuzzing you typically want to inject “command & control” parameters into the input to find the most serious vulnerability. For example if a web application is expecting a social security number I may inject html parameters such as ” < / > ” to manipulate the look, feel, and operation of a web application. I don’t want to delve a whole lot into fuzzing because there are books out there that talk about this one subject. This tutorial is going to focus on using Webscarab to fuzz web applications and find vulnerabilities. Hopefully by the end of this tutorial you will better understand the technical aspects of fuzzing as oppose to the concept of fuzzing, but more reading on fuzzing web applications may be required.
Part 1 of this series focused on the basics of using a HTTP proxy to assess a web application. I encourage people to play around with HTTP proxies with a web application that they use frequently, it’s interesting to see what information is being passed between the client and server. This communication can sometimes include your private information so it’s good to understand how that particular web application is handling your information.
This tutorial is designed to walk you through the basics of using a HTTP proxy.A HTTP proxy is very useful when it comes to web application vulnerability assessment.A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links you have clicked.A proxy also allows you to see the “raw” HTTP request and responses, basically you’ll see what is being sent behind the scenes.This document will go into more detail about what a HTTP proxy can do as we step through some exercises on analyzing traffic from a web application.
