Webscarab Tutorial Part 1 (learning the basics)
This tutorial is designed to walk you through the basics of using a HTTP proxy. A HTTP proxy is very useful when it comes to web application vulnerability assessment. A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links you have clicked. A proxy also allows you to see the HTTP request and responses, basically you’ll see what is being sent behind the scenes. This document will go into more detail about what a HTTP proxy can do as we step through some exercises on analyzing traffic from a web application.
This tutorial is going to focus on Webscarab, although there are other numerous useful tools on the market (e.g. Paros, Burp). The first thing we’ll need to do is obtain Webscarab, I like to use the version signed by Rogan Dawes, which can be found here. Go to the downloads section and make sure you get the Java Web Start version signed by Rogan Dawes. The second thing we’ll need to do is start up Webscarab. By default Webscarab listens on port 8008 but this can be easily changed to any port. These settings can be seen in Figure 1.
Figure 1: Webscarab proxy settings
We’ll also need to configure our browser so that our communication is pointed through the proxy. In recent versions of Firefox the path should be Tools >> Options >> Advanced Tab >> Network Tab >> Settings. Once there you’ll need to highlight “Manual proxy configuration”, then for “HTTP Proxy” type in “localhost” and for port use 8008. You’ll also need to do this for the SSL proxy if the web application uses SSL. These settings can be seen in Figure 2.
Figure 2: Firefox proxy settings
The path to change IE settings: Tools >> Internet Options >> Connections tab >> LAN settings. Here you’ll need to check the box that says “Use a proxy server for your LAN”, this can be seen in Figure 3.
Figure 3: IE proxy settings
This tutorial is going to show how Webscarab can walk through and assess the Hacme Casino web application provided by Foundstone, Figure 4 shows the login page for this application.
Figure 4: Hacme Casino login page
I have already created an account within the application with the username “hacker” and a password of “passwd”. So with Webscarab already running in the background I am going to login to Hacme Casino. If you are on the summary tab within Webscarab you will notice requests and responses filling up rows in the bottom pane. Webscarab is logging all communication between you and the web server, this includes all images, CSS files, Javascript files, parameters, etc… The top pane of the summary tab shows you a directory structure of your history through the web application. This summary tab can be seen in Figure 5.
Figure 5: Webscarab summary tab
Now a summary of your history is neat but that only scratches the surface of Webscarab’s functionality. One of the best functions of a HTTP proxy is the ability to intercept requests on the fly or replay those requests at a later time. In order to intercept requests / responses make sure you have checked the “Intercept requests” / “Intercept responses” checkboxes in the Proxy >> Manual Edit tab. These settings can be seen in Figure 6.
Figure 6: Webscarab intercept settings
You may be wondering why you would want to intercept or repeat a HTTP request / response. The simple answer is to learn more about what a website is doing with your input (e.g. SSN, credit card, personal information). Application security folks, developers, or curious people may want to understand more about the web application they’re using. Intercepting a request / response will allow you to see and manipulate communication being sent back and forth. Application security analysts like to replay requests over and over again with different inputs to see what the application will allow as input. This will give security analysts an idea of how secure the application is. Had we intercepted the login process you would have seen the inputs for username and password being sent to the web server. A screen shot of this can be seen in Figure 7.
Figure 7: Interception of the login process for Hacme Casino
You can see in Figure 7 that Webscarab has intercepted both the username “hacker” and password “passwd”. A HTTP proxy is able to see the password even though each character was replaced by an asterisk within the application. At this point you could accept the request or manipulate the parameters. You could try to login as someone at this point even though you initially typed in a different username and password. With a HTTP proxy you could manipulate any request / response not just the login process.
This covers Part 1 of the tutorial on Webscarab. OWASP also has a great write up, called Getting Started, going over basically what I have covered here. So if you ever wanted to know more about a web application Webscarab is a great tool that can help you learn more. In Part 2 of this series we’ll analyze how an application maintains state by using the “SessionID Analysis” functionality of Webscarab.
August 21st, 2007 at 1:45 pm
Very nice. Just one comment, though. The version that you are referring to is actually the OWASP version. There is no difference between “my” version and the OWASP one.
August 21st, 2007 at 7:08 pm
Yea your right, what I meant was the “lite” version, I’ll correct that in my post. By the way Rogan I’ve been trying to get OWASP to post your video presentation but Google video is still saying unavailable, maybe you can put a bug in their ear. I’ve tried several times but with no success.
October 6th, 2007 at 8:31 pm
Thank you for sharing!
October 6th, 2007 at 11:44 pm
Nice work. Good text and excellent screenshots.
October 9th, 2007 at 9:00 am
I know this is just basic information that may bore some folks, but there are tons of other people out there that are using Webscarab for the first time. Hopefully this helps them in their quest. Thanks for the feedback guys.
October 24th, 2007 at 5:42 am
Hi. Very nice paper , very useful.
I setted up webscarab when i was working out with webgoat . With webgoat works great , but i can’t browse another site. I don’t know what exactly happens , i did all the configs mentioned above , but still having problem .
Ps : Either with mozilla and IE problem exist.
Thanks in advance.
October 24th, 2007 at 6:55 pm
Not really sure how to solve your problem. Can you browse to sites without the proxy in place? Are you behind another proxy (a corporate proxy), or are you doing this at home? Webscarab should capture all traffic, not just traffic from a specific web application. What port number are you using as the listener? Answer some of these questions and I may be able to help you.
October 25th, 2007 at 4:57 am
I don’t use any proxy server and i do this at home . Webscarab captures all traffic but no page is shown. The port i am usisng is 8008. I hope now to be more imforamtive .
Thanks for the reply .
May 15th, 2008 at 9:40 pm
[...] will look like http://ririwow.cn/jp.js. In order to see the request one would have to use a local web proxy. Without a proxy you would never see the request. So I’m going to keep my eyes peeled in the [...]
July 22nd, 2008 at 1:58 am
Hi,
I have a problem i m using corporate network in that we use proxy to surf web sites my application server and my desktop or in lan .I tried to get ie seetings in proxy window.But my browser was not able to integrate with webscarb.If i surf manually the url in manually tab it gives response.But if i add listerner the ip address of mine application server it give jvm bind error.but if i use my localhost it work fine.can you help me in this
cheers
jil
July 28th, 2008 at 6:21 pm
jil,
i’ll email you, sorry for the late reply.
October 14th, 2008 at 1:50 pm
Hi travis, this information is very useful, i have set the proxy and i could able to see the traffic looking ahead to see your next post. Thanks for sharing.
October 14th, 2008 at 7:18 pm
gilbert,
gratzi
November 20th, 2008 at 2:09 pm
Hi Rogan Dawes
I am always getting Webscarab lite version after executing the jar file to be specific this is the one that i have used (webscarab-installer-20070504-1631) . I tried running the jar file without the lite parameter but whatever i do i do get only the lite version. Please tell me how to get the Full version of Webscarab .
Thanks in advance
Madhavi Yami
December 4th, 2008 at 8:12 pm
Madhavi,
first let me apologize for the late response and secondly I am not Rogan Dawes. But no worries I’m a big fan of Rogan’s work and it’s a honor to be mistaken for him. To answer your question Madhavi I use the syntax below.
java -DWebScarab.lite=false -jar webscarab.jar
Let me know if this works for you
December 10th, 2008 at 5:10 pm
Hey travis
Ya i got it by lot of trial and error from themenu option
Thanks for the reply
bye,
Madhavi
February 26th, 2009 at 12:24 pm
hi
well i got a problem using port 8008
i cant even surf another site using this por… can you plz help me
February 27th, 2009 at 12:52 am
ex,
shoot me an email offline and i’ll see if i can help (travisaltman@gmail.com).
April 13th, 2009 at 8:09 pm
Hi Travis,
Very useful information.
I am a beginner with security testing and am assigned task to intercept requests of another machine. E.g. If Webscarab is running on “Test1″ machine then i have to intercept requests of “Test2″ machine which is a different machine. Is there a way to accomplish this?
Thanks in advance.
Abhi
April 14th, 2009 at 10:54 am
abhi,
i’m assuming you mean “Test2″ is going to google.com and you want “Test1″ to intercept that request? i’ve never tried that but it seems that would be possible but only if “Test1″ and “Test2″ were on the same LAN. also “Test1″ and “Test2″ would have to be connected to a hub (Layer 2 on OSI model) instead of a switch/router (Layer 3 OSI model). if “Test1″ and “Test2″ were connected to a switch/router you could ARP spoof to accomplish this as well. just a thought, let me know if you’re able to accomplish this.
April 14th, 2009 at 12:33 pm
Thanks for the useful info and quick reply. I will check out on this and post the info i get on it.
In a real world scenario, a hacker would want to intercept request of any online user making a transaction. Is it possible? Any way to accomplish this on a different LAN?
Thanks,
Abhi.
April 21st, 2009 at 8:12 pm
Hi Travis,
I have the same problem as Jil:
————————–
I have a problem i m using corporate network in that we use proxy to surf web sites my application server and my desktop or in lan .I tried to get ie seetings in proxy window.But my browser was not able to integrate with webscarb.If i surf manually the url in manually tab it gives response.But if i add listerner the ip address of mine application server it give jvm bind error.but if i use my localhost it work fine.can you help me in this
————————–
Would really appreciate if you could email me the soultion as I am really stuck up with this.
Thanks
Priti..
April 21st, 2009 at 10:21 pm
abhi,
sorry for the late reply, no excuse here. so is there anyway to intercept requests between different LAN’s? the short answer is yes but you would have to leverage a vulnerability or misconfiguration. for example you leverage the wpad proxy attack, video link below.
http://www.shmoocon.org/2007/presentations.html
you could also possibly (never tried) leverage a vulnerability within cisco’s dynamic trunking protocol to sniff across multiple LAN’s.
http://www.yersinia.net/
of course if you could somehow point users to your DNS or DHCP server, instead of their normal servers, you could sniff traffic across multiple LAN’s. hope this answers your question.
May 25th, 2009 at 6:42 pm
Hi Travis,
I am able to install full version of Webscarab and able to execute it for SQL Injection scripts using Fuzzer.
I am able to find 3 tutorials (HTTP Request\ Response, SQL Injection using Fuzzer and Session ID) but I am not able to search any tutorial for XSS and many other tabs functionality.
Please help me out so that I can explore the tool to the best.
Thanks in advance.
Regards,
Rohit
May 27th, 2009 at 10:21 pm
Hi all, I’m a very big newbie on this subject, but i have a question. Can we intercept the requests without a proxy? I’m using WebScarab to complete the lessons in WebGoat, but i can’t understand if it’s harder to make the attacks without a proxy or not.
Thanks in advance and sorry for any bad English.
May 28th, 2009 at 2:31 am
rohit,
i have not created a tutorial for the other tabs so you’ll have to search around and see if you can’t find some tutorials for the other tabs, sorry no good answer there.
conversoid,
can you intercept requests without a proxy? no. you can manipulate a GET request via the URL, for example
http://example.com/newsArticle=story1 can be changed to,
http://example.com/newsArticle=‘ or 1=1
this is not intercepting the request but you are “fuzzing” the newsArticle parameter in this situation to see if it properly encodes / validates the output. within webgoat you will need webscarab to perform some of the exercises but not all of them, just the ones where a proxy is needed.
hope that answers your questions, if not we can email offline for a deeper conversation.
June 18th, 2009 at 7:11 pm
Hi,
I am trying to test the insecure webapp through web scarab. Now the problem I am facing is that the tomcat server is hosted on localhost(port 8080) and when I try to use web scarab and listen on port 8080,it gives a java-bind error. Is there a work around for this so that web scarab as well as tomcat can both listen on same port or any other solution.
Thanks
June 23rd, 2009 at 7:40 pm
nikhil,
you cant have 2 services on the same port, you should have webscarab listen on a separate port such as 8008. so change the listening port in webscarab to 8008 and see if that solves your problem, reference figure 1 above. if that doesnt solve your problem let me know.
August 5th, 2009 at 8:26 am
Hi, Travis
Kudos for the splendid work
. My query is if im behind a protected proxy,how can i use the tool. Because of the proxy webscarab is not detecting the websites i.e no traffic is being populated.
Can you think of a solution?
Thanks Danny
August 10th, 2009 at 4:03 am
danny,
i assume what you mean is that you’re at school or work which has a proxy in place to block/protect end users and you want webscarab to be aware of that proxy and hopefully chain them together. i typically do not have a need for this but have tried it in the past with no success. in theory you should be able to go into tools > proxies and then enter the information for the proxy between you and your application.
August 13th, 2009 at 4:12 am
Hi, I have installed webscarab but seem to be having issues with it not working. When trying to browse a standard site with intercept enabled i am constantly getting this message.
WebScarab encountered an error trying to retrieve
GET http://www.google.co.uk:80/ HTTP/1.1
Host: http://www.google.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cache-Control: max-age=0
The error was :
Connection refused: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at org.owasp.webscarab.httpclient.URLFetcher.connect(URLFetcher.java:362)
at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:223)
at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:222)
at java.lang.Thread.run(Unknown Source)
Any help is appreciated.
August 17th, 2009 at 9:20 pm
dan,
could be a number of reasons you’re getting this error, hard for me to diagnose with this information.
November 11th, 2009 at 10:10 am
Hi,I would like training to web scarab
November 17th, 2009 at 8:02 pm
I had the same problem that I could not use the tool via corp proxy. But after setting the credentials in “tools/credentials” page, everything looks good. I also just used firefox for testing. You can also check “always ask for credentials” in the tools/credentials page so that whenever you start testing via tool, a popup will come up where you can enter your credentials. Hope this helps.
February 1st, 2010 at 2:53 pm
Hi,
I am trying to test the insecure webservices through web scarab. Now the problem I am facing is that the tomcat server is hosted on localhost(port 8080) and when I try to use web scarab and listen on port 8080,it gives a java-bind error. i also changed the port of web service to 8008 but with same port it gives error message and with different ports it doest intercepts any traffic.please tell me any solution.
another problem is i am not having proxy setting on my system. i m using broadband connection at home. so how can i use web scarab to capture traffic because with proxy setting i cant access net.
Thanks
February 3rd, 2010 at 12:11 am
Nidhi,
Sounds like you’re doing everything correct. Maybe try grabbing a newer or older version of Webscarab. Without knowing more information that’s what I would suggest.
March 11th, 2010 at 9:20 am
[...] Article Source [...]
April 6th, 2010 at 6:01 pm
Hi travis,
The problem is: I have Webserver Tomcat and the webscarab running on the same machine. webscarab proxy runs on localhost & 8008. My webserver connects through localhost:8080. I cant find a way to make webscarab intercept the request.
Any help would be appreciated.
April 6th, 2010 at 7:30 pm
Santhosh,
double check your browser’s proxy settings, by default it will not capture traffic on localhost (127.0.0.1), make sure that box is unchecked in your browser. Let me know if that does not solver your problem.
April 7th, 2010 at 12:52 pm
Hi Travis,
I have already tried it, but still cant fix it.
Question:
Can I have webscarab and webserver installed on the same machine?