Webscarab Tutorial Part 1 (learning the basics)

This tutorial is designed to walk you through the basics of using a HTTP proxy. A HTTP proxy is very useful when it comes to web application vulnerability assessment. A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links you have clicked. A proxy also allows you to see the HTTP request and responses, basically you’ll see what is being sent behind the scenes. This document will go into more detail about what a HTTP proxy can do as we step through some exercises on analyzing traffic from a web application.

This tutorial is going to focus on Webscarab, although there are other numerous useful tools on the market (e.g. Paros, Burp). The first thing we’ll need to do is obtain Webscarab, I like to use the version signed by Rogan Dawes, which can be found here. Go to the downloads section and make sure you get the Java Web Start version signed by Rogan Dawes. The second thing we’ll need to do is start up Webscarab. By default Webscarab listens on port 8008 but this can be easily changed to any port. These settings can be seen in Figure 1.

Webscarab proxy port settings

Figure 1: Webscarab proxy settings

We’ll also need to configure our browser so that our communication is pointed through the proxy. In recent versions of Firefox the path should be Tools >> Options >> Advanced Tab >> Network Tab >> Settings. Once there you’ll need to highlight “Manual proxy configuration”, then for “HTTP Proxy” type in “localhost” and for port use 8008. You’ll also need to do this for the SSL proxy if the web application uses SSL. These settings can be seen in Figure 2.

Firefox proxy settings

Figure 2: Firefox proxy settings

The path to change IE settings: Tools >> Internet Options >> Connections tab >> LAN settings. Here you’ll need to check the box that says “Use a proxy server for your LAN”, this can be seen in Figure 3.

Internet Explorer proxy settings

Figure 3: IE proxy settings

This tutorial is going to show how Webscarab can walk through and assess the Hacme Casino web application provided by Foundstone, Figure 4 shows the login page for this application.

Hacme Casino Login Page

Figure 4: Hacme Casino login page

I have already created an account within the application with the username “hacker” and a password of “passwd”. So with Webscarab already running in the background I am going to login to Hacme Casino. If you are on the summary tab within Webscarab you will notice requests and responses filling up rows in the bottom pane. Webscarab is logging all communication between you and the web server, this includes all images, CSS files, Javascript files, parameters, etc… The top pane of the summary tab shows you a directory structure of your history through the web application. This summary tab can be seen in Figure 5.

Webscarab summary of Hacme Casino login process

Figure 5: Webscarab summary tab

Now a summary of your history is neat but that only scratches the surface of Webscarab’s functionality. One of the best functions of a HTTP proxy is the ability to intercept requests on the fly or replay those requests at a later time. In order to intercept requests / responses make sure you have checked the “Intercept requests” / “Intercept responses” checkboxes in the Proxy >> Manual Edit tab. These settings can be seen in Figure 6.

Webscarab intercept settings

Figure 6: Webscarab intercept settings

You may be wondering why you would want to intercept or repeat a HTTP request / response. The simple answer is to learn more about what a website is doing with your input (e.g. SSN, credit card, personal information). Application security folks, developers, or curious people may want to understand more about the web application they’re using. Intercepting a request / response will allow you to see and manipulate communication being sent back and forth. Application security analysts like to replay requests over and over again with different inputs to see what the application will allow as input. This will give security analysts an idea of how secure the application is. Had we intercepted the login process you would have seen the inputs for username and password being sent to the web server. A screen shot of this can be seen in Figure 7.

Interception of Hacme Casino login credentials

Figure 7: Interception of the login process for Hacme Casino

You can see in Figure 7 that Webscarab has intercepted both the username “hacker” and password “passwd”. A HTTP proxy is able to see the password even though each character was replaced by an asterisk within the application. At this point you could accept the request or manipulate the parameters. You could try to login as someone at this point even though you initially typed in a different username and password. With a HTTP proxy you could manipulate any request / response not just the login process.

This covers Part 1 of the tutorial on Webscarab. OWASP also has a great write up, called Getting Started, going over basically what I have covered here. So if you ever wanted to know more about a web application Webscarab is a great tool that can help you learn more. In Part 2 of this series we’ll analyze how an application maintains state by using the “SessionID Analysis” functionality of Webscarab.

72 Responses to “Webscarab Tutorial Part 1 (learning the basics)”

  1. travis Says:

    Sorry for the late reply, did you try starting and stopping the proxy as in the first figure? Sounds like you’ve got everything configured correctly to me.

  2. Divya Says:

    Hi Travis,
    Problem with Webgoat on Paros.
    Below are my settings:
    Using IE7
    Using Paros Proxy(not webscrab)
    Working under corporate proxy.
    Webgoat configured on 8080.(hope this is the default port)
    Configured paros with corporate proxy with username and password
    IE LAN settings configured as localhost 8080

    Error in Paros:502 Connection Refused.

    URL used: http://localhost/webgoat/attack/- If this URL is used the Webgoat page is displayed in browser but traffic not routed to paros

    URL used: http://localhost./webgoat/attack/- If this URL is used the Webgoat page is not displayed in browser(browser showing 502 error) but traffic is routed to paros with HTTP response error 502 connection refused.

    Pls help me on this.

    Thanks Divya

  3. Divya Says:

    Hi Tavis,

    Sorry ..There is a small correction in the above post.

    Error in paros is 407 Proxy Authorization required.

    For URL http://localhost./webgoat/attack the browser is prompting for my corporate domain credentials. Though I provide correct credentials the broswser is displaying Proxy Authorization error.

    My corporate is not allowing Webscrab so Im working on paros. Though this is a webscrab tutorial please help me on paros.

    Thanks

  4. hausratversicherung vergleich Says:

    hausratversicherung vergleich…

    […]» Blog Archive » Webscarab Tutorial Part 1 (learning the basics)[…]…

  5. thamps Says:

    hi Travis,

    Thanks for the nice article. I have one question on the interrupting the request and response. As per my understanding, we can manipulate the request and response which originates from browser. In my application we have a httpUrlconnection to an external site, which get called from one the java class inside a jar. Is there a way to interrupt this httpUrlConnection and its response ?. I am not seeing this particular httpUrlconnection request coming in WebScarab.

    thanks,
    Thamps

  6. travis Says:

    Thamp,

    Been terrible about responding, catching up now. I don’t experience with the java httpUrlconnection class, one would think that it would act like any other http connection but I don’t know the details of the application in question. Ideally I would like Burp / Zap / Webscarab in the middle of that communication but that doesn’t always happen. Because it’s a java application you have a nice alternative called java snoop (https://www.aspectsecurity.com/research/appsec_tools/javasnoop/) which should give you eyes into that communication. Let me know if that helps.

  7. twitter followers Says:

    Wow that was odd. I just wrote an really long
    comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again.
    Anyway, just wanted to say great blog!

  8. ashish Says:

    I am able to intercept http traffic but when I access https traffic I reach the point where the browser warns me about the untrusted certificate after I accept the warning and continue further I get the following error:

    GET https://lists.owasp.org:443/pipermail/owasp-webscarab/2006-February/000455.html HTTP/1.1
    Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */*
    Accept-Language: en-US
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; .NET4.0C; .NET4.0E)
    Accept-Encoding: gzip, deflate
    Host: lists.owasp.org
    Connection: Keep-Alive

    The error was :

    Connection refused: connect
    at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
    at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
    at java.net.PlainSocketImpl.connect(Unknown Source)
    at java.net.SocksSocketImpl.connect(Unknown Source)
    at java.net.Socket.connect(Unknown Source)
    at org.owasp.webscarab.httpclient.URLFetcher.connect(URLFetcher.java:373)
    at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:229)
    at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
    at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
    at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
    at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
    at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
    at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:233)
    at java.lang.Thread.run(Unknown Source)

  9. travis Says:

    ashish,

    What version of Webscarab are you running and what version of Java? Make sure you are running the latest version of both.

  10. ashish Says:

    Hi Travis,

    I am running build 1631 of WebScarab and have the latest Jaav build, ver 7 update 21. The problem is only with https sites.. Is there any other logs which can help to bedug the error. I tried with all browsers, IE, Firefox and Crome but the error is same.

  11. travis Says:

    ashish,

    I’m not that familiar with debugging Webscarab. My recommendation would be to join the mailing list and ask your question there. You can sign up for the mailing list here https://lists.owasp.org/mailman/listinfo/owasp-webscarab

  12. Sudhir Says:

    Hey Travis,

    My home internet connection is “automatic detect settings”.
    So when I change it to manual to point to Webscarab, (127.0.0.1 :8008). the site on internet is not accesible.
    I used netstat -ban in cmd to find proxy address, but couldn’t determine what exactly is my proxy address.
    from ipconfig/all I came to know that DHCP is enabled.

    Please help me out.

  13. ????????????????? Says:

    Hello just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading correctly. I’m not sure why but
    I think its a linking issue. I’ve tried it in two different browsers and both show the same outcome.

  14. Raghava Says:

    how to go to next tutorial…any one plz help

  15. Udhay Says:

    Hi,

    In our proxy authentication credentials need to enter. I tried to set in web scarab but able to succeed getting error “ConnectionHandler got an error : java.lang.StringIndexOutOfBoundsException: String index out of range: -9”. Could you please help me out?

  16. travis Says:

    Udhay,

    Sorry not familiar with that error

  17. Click Aquí Says:

    ? El videogame de consolas consiste en algo muy molon, aun asi ocasionalmente constituye un tanto cansino

    Mira lo siguiente y ademas navega por mi site: Click Aquí

  18. mtzc66 Says:

    Engrossing articles thither medication and differing stories

  19. hmycwh Says:

    Engrossing articles at one’s fingertips drug and assorted stories

  20. qqkp16 Says:

    Engrossing articles on every side pharmaceutical and differing stories

  21. canadian pharmacy Says:

    The flavour of the month generation of the manufacture—of isolation and purification of compounds, chemical composition, and computer-aided drug block out—is considered to contain begun in the 19th century, thousands of years after percipience and contest and howler led humans to accept that plants, animals, and minerals contained iatrical properties.

  22. Good job Says:

    Good post, keep

Leave a Reply