Webscarab Tutorial Part 1 (learning the basics)

This tutorial is designed to walk you through the basics of using a HTTP proxy. A HTTP proxy is very useful when it comes to web application vulnerability assessment. A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links you have clicked. A proxy also allows you to see the HTTP request and responses, basically you’ll see what is being sent behind the scenes. This document will go into more detail about what a HTTP proxy can do as we step through some exercises on analyzing traffic from a web application.

This tutorial is going to focus on Webscarab, although there are other numerous useful tools on the market (e.g. Paros, Burp). The first thing we’ll need to do is obtain Webscarab, I like to use the version signed by Rogan Dawes, which can be found here. Go to the downloads section and make sure you get the Java Web Start version signed by Rogan Dawes. The second thing we’ll need to do is start up Webscarab. By default Webscarab listens on port 8008 but this can be easily changed to any port. These settings can be seen in Figure 1.

Webscarab proxy port settings

Figure 1: Webscarab proxy settings

We’ll also need to configure our browser so that our communication is pointed through the proxy. In recent versions of Firefox the path should be Tools >> Options >> Advanced Tab >> Network Tab >> Settings. Once there you’ll need to highlight “Manual proxy configuration”, then for “HTTP Proxy” type in “localhost” and for port use 8008. You’ll also need to do this for the SSL proxy if the web application uses SSL. These settings can be seen in Figure 2.

Firefox proxy settings

Figure 2: Firefox proxy settings

The path to change IE settings: Tools >> Internet Options >> Connections tab >> LAN settings. Here you’ll need to check the box that says “Use a proxy server for your LAN”, this can be seen in Figure 3.

Internet Explorer proxy settings

Figure 3: IE proxy settings

This tutorial is going to show how Webscarab can walk through and assess the Hacme Casino web application provided by Foundstone, Figure 4 shows the login page for this application.

Hacme Casino Login Page

Figure 4: Hacme Casino login page

I have already created an account within the application with the username “hacker” and a password of “passwd”. So with Webscarab already running in the background I am going to login to Hacme Casino. If you are on the summary tab within Webscarab you will notice requests and responses filling up rows in the bottom pane. Webscarab is logging all communication between you and the web server, this includes all images, CSS files, Javascript files, parameters, etc… The top pane of the summary tab shows you a directory structure of your history through the web application. This summary tab can be seen in Figure 5.

Webscarab summary of Hacme Casino login process

Figure 5: Webscarab summary tab

Now a summary of your history is neat but that only scratches the surface of Webscarab’s functionality. One of the best functions of a HTTP proxy is the ability to intercept requests on the fly or replay those requests at a later time. In order to intercept requests / responses make sure you have checked the “Intercept requests” / “Intercept responses” checkboxes in the Proxy >> Manual Edit tab. These settings can be seen in Figure 6.

Webscarab intercept settings

Figure 6: Webscarab intercept settings

You may be wondering why you would want to intercept or repeat a HTTP request / response. The simple answer is to learn more about what a website is doing with your input (e.g. SSN, credit card, personal information). Application security folks, developers, or curious people may want to understand more about the web application they’re using. Intercepting a request / response will allow you to see and manipulate communication being sent back and forth. Application security analysts like to replay requests over and over again with different inputs to see what the application will allow as input. This will give security analysts an idea of how secure the application is. Had we intercepted the login process you would have seen the inputs for username and password being sent to the web server. A screen shot of this can be seen in Figure 7.

Interception of Hacme Casino login credentials

Figure 7: Interception of the login process for Hacme Casino

You can see in Figure 7 that Webscarab has intercepted both the username “hacker” and password “passwd”. A HTTP proxy is able to see the password even though each character was replaced by an asterisk within the application. At this point you could accept the request or manipulate the parameters. You could try to login as someone at this point even though you initially typed in a different username and password. With a HTTP proxy you could manipulate any request / response not just the login process.

This covers Part 1 of the tutorial on Webscarab. OWASP also has a great write up, called Getting Started, going over basically what I have covered here. So if you ever wanted to know more about a web application Webscarab is a great tool that can help you learn more. In Part 2 of this series we’ll analyze how an application maintains state by using the “SessionID Analysis” functionality of Webscarab.

68 Responses to “Webscarab Tutorial Part 1 (learning the basics)”

  1. Rogan Dawes Says:

    Very nice. Just one comment, though. The version that you are referring to is actually the OWASP version. There is no difference between “my” version and the OWASP one.

  2. travis Says:

    Yea your right, what I meant was the “lite” version, I’ll correct that in my post. By the way Rogan I’ve been trying to get OWASP to post your video presentation but Google video is still saying unavailable, maybe you can put a bug in their ear. I’ve tried several times but with no success.

  3. Wahoo Says:

    Thank you for sharing!

  4. Rupert Bunzing Says:

    Nice work. Good text and excellent screenshots.

  5. travis Says:

    I know this is just basic information that may bore some folks, but there are tons of other people out there that are using Webscarab for the first time. Hopefully this helps them in their quest. Thanks for the feedback guys.

  6. problem Says:

    Hi. Very nice paper , very useful.
    I setted up webscarab when i was working out with webgoat . With webgoat works great , but i can’t browse another site. I don’t know what exactly happens , i did all the configs mentioned above , but still having problem .
    Ps : Either with mozilla and IE problem exist.
    Thanks in advance.

  7. travis Says:

    Not really sure how to solve your problem. Can you browse to sites without the proxy in place? Are you behind another proxy (a corporate proxy), or are you doing this at home? Webscarab should capture all traffic, not just traffic from a specific web application. What port number are you using as the listener? Answer some of these questions and I may be able to help you.

  8. problem Says:

    I don’t use any proxy server and i do this at home . Webscarab captures all traffic but no page is shown. The port i am usisng is 8008. I hope now to be more imforamtive .
    Thanks for the reply .

  9. Widespread SQL injection & Javascript malware at Travis Altman Says:

    […] will look like http://ririwow.cn/jp.js. In order to see the request one would have to use a local web proxy. Without a proxy you would never see the request. So I’m going to keep my eyes peeled in the […]

  10. jil Says:

    Hi,

    I have a problem i m using corporate network in that we use proxy to surf web sites my application server and my desktop or in lan .I tried to get ie seetings in proxy window.But my browser was not able to integrate with webscarb.If i surf manually the url in manually tab it gives response.But if i add listerner the ip address of mine application server it give jvm bind error.but if i use my localhost it work fine.can you help me in this

    cheers
    jil

  11. travis Says:

    jil,

    i’ll email you, sorry for the late reply.

  12. Gilbert Says:

    Hi travis, this information is very useful, i have set the proxy and i could able to see the traffic looking ahead to see your next post. Thanks for sharing.

  13. travis Says:

    gilbert,

    gratzi

  14. Madhavi Says:

    Hi Rogan Dawes

    I am always getting Webscarab lite version after executing the jar file to be specific this is the one that i have used (webscarab-installer-20070504-1631) . I tried running the jar file without the lite parameter but whatever i do i do get only the lite version. Please tell me how to get the Full version of Webscarab .

    Thanks in advance
    Madhavi Yami

  15. travis Says:

    Madhavi,

    first let me apologize for the late response and secondly I am not Rogan Dawes. But no worries I’m a big fan of Rogan’s work and it’s a honor to be mistaken for him. To answer your question Madhavi I use the syntax below.

    java -DWebScarab.lite=false -jar webscarab.jar

    Let me know if this works for you

  16. Anonymous Says:

    Hey travis

    Ya i got it by lot of trial and error from themenu option
    Thanks for the reply

    bye,
    Madhavi

  17. ex Says:

    hi

    well i got a problem using port 8008

    i cant even surf another site using this por… can you plz help me

  18. travis Says:

    ex,

    shoot me an email offline and i’ll see if i can help (travisaltman@gmail.com).

  19. Abhi Says:

    Hi Travis,

    Very useful information.
    I am a beginner with security testing and am assigned task to intercept requests of another machine. E.g. If Webscarab is running on “Test1” machine then i have to intercept requests of “Test2” machine which is a different machine. Is there a way to accomplish this?
    Thanks in advance.

    Abhi

  20. travis Says:

    abhi,

    i’m assuming you mean “Test2” is going to google.com and you want “Test1” to intercept that request? i’ve never tried that but it seems that would be possible but only if “Test1” and “Test2” were on the same LAN. also “Test1” and “Test2” would have to be connected to a hub (Layer 2 on OSI model) instead of a switch/router (Layer 3 OSI model). if “Test1” and “Test2” were connected to a switch/router you could ARP spoof to accomplish this as well. just a thought, let me know if you’re able to accomplish this.

  21. Abhi Says:

    Thanks for the useful info and quick reply. I will check out on this and post the info i get on it.
    In a real world scenario, a hacker would want to intercept request of any online user making a transaction. Is it possible? Any way to accomplish this on a different LAN?

    Thanks,
    Abhi.

  22. Priti Says:

    Hi Travis,

    I have the same problem as Jil:

    ————————–
    I have a problem i m using corporate network in that we use proxy to surf web sites my application server and my desktop or in lan .I tried to get ie seetings in proxy window.But my browser was not able to integrate with webscarb.If i surf manually the url in manually tab it gives response.But if i add listerner the ip address of mine application server it give jvm bind error.but if i use my localhost it work fine.can you help me in this
    ————————–
    Would really appreciate if you could email me the soultion as I am really stuck up with this.

    Thanks
    Priti..

  23. travis Says:

    abhi,

    sorry for the late reply, no excuse here. so is there anyway to intercept requests between different LAN’s? the short answer is yes but you would have to leverage a vulnerability or misconfiguration. for example you leverage the wpad proxy attack, video link below.

    http://www.shmoocon.org/2007/presentations.html

    you could also possibly (never tried) leverage a vulnerability within cisco’s dynamic trunking protocol to sniff across multiple LAN’s.

    http://www.yersinia.net/

    of course if you could somehow point users to your DNS or DHCP server, instead of their normal servers, you could sniff traffic across multiple LAN’s. hope this answers your question.

  24. Rohit Bahl Says:

    Hi Travis,

    I am able to install full version of Webscarab and able to execute it for SQL Injection scripts using Fuzzer.
    I am able to find 3 tutorials (HTTP Request\ Response, SQL Injection using Fuzzer and Session ID) but I am not able to search any tutorial for XSS and many other tabs functionality.
    Please help me out so that I can explore the tool to the best.

    Thanks in advance.

    Regards,
    Rohit

  25. Conversoid Says:

    Hi all, I’m a very big newbie on this subject, but i have a question. Can we intercept the requests without a proxy? I’m using WebScarab to complete the lessons in WebGoat, but i can’t understand if it’s harder to make the attacks without a proxy or not.

    Thanks in advance and sorry for any bad English.

  26. travis Says:

    rohit,

    i have not created a tutorial for the other tabs so you’ll have to search around and see if you can’t find some tutorials for the other tabs, sorry no good answer there.

    conversoid,

    can you intercept requests without a proxy? no. you can manipulate a GET request via the URL, for example

    http://example.com/newsArticle=story1 can be changed to,
    http://example.com/newsArticle=‘ or 1=1

    this is not intercepting the request but you are “fuzzing” the newsArticle parameter in this situation to see if it properly encodes / validates the output. within webgoat you will need webscarab to perform some of the exercises but not all of them, just the ones where a proxy is needed.

    hope that answers your questions, if not we can email offline for a deeper conversation.

  27. Nikhil Arora Says:

    Hi,

    I am trying to test the insecure webapp through web scarab. Now the problem I am facing is that the tomcat server is hosted on localhost(port 8080) and when I try to use web scarab and listen on port 8080,it gives a java-bind error. Is there a work around for this so that web scarab as well as tomcat can both listen on same port or any other solution.

    Thanks

  28. travis Says:

    nikhil,

    you cant have 2 services on the same port, you should have webscarab listen on a separate port such as 8008. so change the listening port in webscarab to 8008 and see if that solves your problem, reference figure 1 above. if that doesnt solve your problem let me know.

  29. Danny Says:

    Hi, Travis

    Kudos for the splendid work :). My query is if im behind a protected proxy,how can i use the tool. Because of the proxy webscarab is not detecting the websites i.e no traffic is being populated.
    Can you think of a solution?

    Thanks Danny

  30. travis Says:

    danny,

    i assume what you mean is that you’re at school or work which has a proxy in place to block/protect end users and you want webscarab to be aware of that proxy and hopefully chain them together. i typically do not have a need for this but have tried it in the past with no success. in theory you should be able to go into tools > proxies and then enter the information for the proxy between you and your application.

  31. dan Says:

    Hi, I have installed webscarab but seem to be having issues with it not working. When trying to browse a standard site with intercept enabled i am constantly getting this message.

    WebScarab encountered an error trying to retrieve

    GET http://www.google.co.uk:80/ HTTP/1.1
    Host: http://www.google.co.uk
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
    Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-gb,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Proxy-Connection: keep-alive
    Cache-Control: max-age=0

    The error was :

    Connection refused: connect
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.PlainSocketImpl.doConnect(Unknown Source)
    at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at org.owasp.webscarab.httpclient.URLFetcher.connect(URLFetcher.java:362)
    at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:223)
    at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
    at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
    at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
    at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
    at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
    at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:222)
    at java.lang.Thread.run(Unknown Source)

    Any help is appreciated.

  32. travis Says:

    dan,

    could be a number of reasons you’re getting this error, hard for me to diagnose with this information.

  33. Sajad Says:

    Hi,I would like training to web scarab

  34. Visu Says:

    I had the same problem that I could not use the tool via corp proxy. But after setting the credentials in “tools/credentials” page, everything looks good. I also just used firefox for testing. You can also check “always ask for credentials” in the tools/credentials page so that whenever you start testing via tool, a popup will come up where you can enter your credentials. Hope this helps.

  35. Nidhi Says:

    Hi,
    I am trying to test the insecure webservices through web scarab. Now the problem I am facing is that the tomcat server is hosted on localhost(port 8080) and when I try to use web scarab and listen on port 8080,it gives a java-bind error. i also changed the port of web service to 8008 but with same port it gives error message and with different ports it doest intercepts any traffic.please tell me any solution.
    another problem is i am not having proxy setting on my system. i m using broadband connection at home. so how can i use web scarab to capture traffic because with proxy setting i cant access net.

    Thanks

  36. travis Says:

    Nidhi,

    Sounds like you’re doing everything correct. Maybe try grabbing a newer or older version of Webscarab. Without knowing more information that’s what I would suggest.

  37. Webscarab « d4rKn19t's Blog Says:

    […] Article Source […]

  38. Santhosh Says:

    Hi travis,

    The problem is: I have Webserver Tomcat and the webscarab running on the same machine. webscarab proxy runs on localhost & 8008. My webserver connects through localhost:8080. I cant find a way to make webscarab intercept the request.

    Any help would be appreciated.

  39. travis Says:

    Santhosh,

    double check your browser’s proxy settings, by default it will not capture traffic on localhost (127.0.0.1), make sure that box is unchecked in your browser. Let me know if that does not solver your problem.

  40. Santhosh Says:

    Hi Travis,

    I have already tried it, but still cant fix it.

    Question:
    Can I have webscarab and webserver installed on the same machine?

  41. Raghavan Says:

    Guys,

    Somebody asked how to switch between lite and full mode.. Go to Tools and check the Use full-featured mode check box. Now close and open Webscarab, u ll get the full mode..

    Vice versa for getting to lite-mode..

    If an obsolete info, my apologies.. just as an FYI…

  42. Suresh Says:

    Previously I had no issues. Webscarab went on fine. Now there is a firewall for browzing web site with some sites blocked in. After implementing Firewall I am unable to use webscarab. I am able to edit request but in my browser am facing.

    WebScarab encountered an error trying to retrieve

    The error was :

    Connection refused: connect
    at java.net.PlainSocketImpl.socketConnect(Native Method)

    I tried both 8008 & 8080 and facing same issue. Can anyone give me some inputs on this, how to configure webscarab in firewall

  43. travis Says:

    suresh,

    i think what you want to do is “chain” proxies, have a look at this article and see if it solves your issue.

  44. Fabrizio Says:

    Hi,
    I am trying to solve WebGoat lessons using Webscarab. I’m also using the browser
    Firefox. I set webscarab listen on port 8008. I’ve configured firefox to connect on
    HTTP proxy on port 8008. The problem is that Webscarab is able to intercept the request, but my
    browser don’t receive data. It remains waiting for localhost response. Please tell me
    any solution.

    Thanks

  45. travis Says:

    Fabrizio,

    I’m not quite sure what your problem could be, sounds like you have everything setup correctly. Maybe try the same setup with Internet Explorer and see if you have the same issue. Also you might want to clear your history and cookies inside of firefox that gives it a fresh start. I’ve sometimes gotten hangups on old history and cookies. Try that and let me know if that works.

  46. Mo Says:

    Hi Travis,

    Great work! Thank you for all the help. I’m trying to test an in-house web application with webscarab and I’m running into issues (my experience is limited). I have the web application running on my local XP IIS and I can’t figure out a way to intercept traffic.

    I have followed all of your instructions above (I am using IE 8.0) and still having issues with locally installed web apps. Any help would be greatly appreciated.

    Keep up the good work 🙂

  47. Mo Says:

    Travis,

    This is Mo again. I just found an answer to my problem (please feel free to add this to any FAQ’s you build). If someone decides to build a test environment and has the webserver and the proxy run on the same box, make sure not to use the URL: http://localhost/mysite

    Using “localhost” means traffic is not routed the classic way (web browser to http server listening port) and therefore the webscarab user wont be able to intercept traffic. Best practice is to use the local box IP address instead.

    URL: http://192.168.1.5/mysite

    This solution took me a while to find. I hope it can help a lost soul somewhere.

  48. travis Says:

    Mo,

    Glad you found your answer. Also some browsers will automatically not allow proxies for localhost, so you may have to specifically check a box inside the browsers settings to allow for localhost. Thanks for adding you info and experience.

  49. Is there a program that automaticly finds .PHP files on a web server and tests them for SQL injections? - Admins Goodies Says:

    […] WebScarab Howto: http://travisaltman.com/webscarab-tutorial-part-1-learning-the-basics/ […]

  50. Ru Says:

    A good and helpful post!
    I’m having the same issue, user “problem” asked earlier. FYI, i’m running webgoat on port 8080(by executing webgoat_8080.bat) and changed my browser, http proxy settings to IP:127.0.0.1 and Port:8008. Soon after changing proxy settings, i’m unable to connect any of websites(either localhost or other outside hosts). I have already removed ‘localhost’ from ignored hosts. The area where the issue i’m having i guess is http proxy is not started. The error message popped when i refresh browser is “Cannot connect to the proxy server”.
    Please help me out in solving this issue..

    Thanking you in advance..:-)

Leave a Reply