This tutorial is designed to walk you through the basics of using a HTTP proxy. A HTTP proxy is very useful when it comes to web application vulnerability assessment. A proxy will allow you to record all of your transactions while using the web application producing a history of pages you have visited and links you have clicked. A proxy also allows you to see the “raw” HTTP request and responses, basically you’ll see what is being sent behind the scenes. This document will go into more detail about what a HTTP proxy can do as we step through some exercises on analyzing traffic from a web application.
This tutorial is going to focus on Webscarab, although there are other numerous useful tools on the market (e.g.
Figure 1: Webscarab proxy settings
We’ll also need to configure our browser so that our communication is pointed through the proxy. In recent versions of Firefox the path should be Tools >> Options >> Advanced Tab >> Network Tab >> Settings. Once there you’ll need to highlight “Manual proxy configuration”, then for “HTTP Proxy” type in “localhost” and for port use 8008. You’ll also need to do this for the SSL proxy if the web application uses SSL. These settings can be seen in Figure 2.
Figure 2: Firefox proxy settings
The path to change IE settings: Tools >> Internet Options >> Connections tab >> LAN settings. Here you’ll need to check the box that says “Use a proxy server for your LAN”, this can be seen in Figure 3.
Figure 3: IE proxy settings
This tutorial is going to show how Webscarab can walk through and assess the Hacme Casino web application provided by Foundstone, Figure 4 shows the login page for this application.
Figure 4: Hacme Casino login page
I have already created an account within the application with the username “hacker” and a password of “passwd”. So with Webscarab already running in the background I am going to login to Hacme Casino. If you are on the summary tab within Webscarab you will notice requests and responses filling up rows in the bottom pane. Webscarab is logging all communication between you and the web server, this includes all images, CSS files, Javascript files, parameters, etc… The top pane of the summary tab shows you a directory structure of your history through the web application. This summary tab can be seen in Figure 5.
Figure 5: Webscarab summary tab
Now a summary of your history is neat but that only scratches the surface of Webscarab’s functionality. One of the best functions of a HTTP proxy is the ability to intercept requests on the fly or replay those requests at a later time. In order to intercept requests / responses make sure you have checked the “Intercept requests” / “Intercept responses” checkboxes in the Proxy >> Manual Edit tab. These settings can be seen in Figure 6.
Figure 6: Webscarab intercept settings
You may be wondering why you would want to intercept or repeat a HTTP request / response. The simple answer is to learn more about what a website is doing with your input (e.g. SSN, credit card, personal information). Application security folks, developers, or curious people may want to understand more about the web application they’re using. Intercepting a request / response will allow you to see and manipulate communication being sent back and forth. Application security analysts like to replay requests over and over again with different inputs to see what the application will allow as input. This will give security analysts an idea of how secure the application is. Had we intercepted the login process you would have seen the inputs for username and password being sent to the web server. A screen shot of this can be seen in Figure 7.
Figure 7: Interception of the login process for Hacme Casino
You can see in Figure 7 that Webscarab has intercepted both the username “hacker” and password “passwd”. A HTTP proxy is able to see the password even though each character was replaced by an asterisk within the application. At this point you could accept the request or manipulate the parameters. You could try to login as someone at this point even though you initially typed in a different username and password. With a HTTP proxy you could manipulate any request / response not just the login process.
This covers Part 1 of the tutorial on Webscarab. OWASP also has a great write up, called Getting Started, going over basically what I have covered here. So if you ever wanted to know more about a web application Webscarab is a great tool that can help you learn more. In Part 2 of this series we’ll analyze how an application maintains state by using the “SessionID Analysis” functionality of Webscarab.
Very nice. Just one comment, though. The version that you are referring to is actually the OWASP version. There is no difference between “my” version and the OWASP one.
Yea your right, what I meant was the “lite” version, I’ll correct that in my post. By the way Rogan I’ve been trying to get OWASP to post your video presentation but Google video is still saying unavailable, maybe you can put a bug in their ear. I’ve tried several times but with no success.
Thank you for sharing!
Nice work. Good text and excellent screenshots.
I know this is just basic information that may bore some folks, but there are tons of other people out there that are using Webscarab for the first time. Hopefully this helps them in their quest. Thanks for the feedback guys.
Hi. Very nice paper , very useful.
I setted up webscarab when i was working out with webgoat . With webgoat works great , but i can’t browse another site. I don’t know what exactly happens , i did all the configs mentioned above , but still having problem .
Ps : Either with mozilla and IE problem exist.
Thanks in advance.
Not really sure how to solve your problem. Can you browse to sites without the proxy in place? Are you behind another proxy (a corporate proxy), or are you doing this at home? Webscarab should capture all traffic, not just traffic from a specific web application. What port number are you using as the listener? Answer some of these questions and I may be able to help you.
I don’t use any proxy server and i do this at home . Webscarab captures all traffic but no page is shown. The port i am usisng is 8008. I hope now to be more imforamtive .
Thanks for the reply .
Hi,
I have a problem i m using corporate network in that we use proxy to surf web sites my application server and my desktop or in lan .I tried to get ie seetings in proxy window.But my browser was not able to integrate with webscarb.If i surf manually the url in manually tab it gives response.But if i add listerner the ip address of mine application server it give jvm bind error.but if i use my localhost it work fine.can you help me in this
cheers
jil
jil,
i’ll email you, sorry for the late reply.
Hi travis, this information is very useful, i have set the proxy and i could able to see the traffic looking ahead to see your next post. Thanks for sharing.
gilbert,
gratzi
Hi Rogan Dawes
I am always getting Webscarab lite version after executing the jar file to be specific this is the one that i have used (webscarab-installer-20070504-1631) . I tried running the jar file without the lite parameter but whatever i do i do get only the lite version. Please tell me how to get the Full version of Webscarab .
Thanks in advance
Madhavi Yami
Madhavi,
first let me apologize for the late response and secondly I am not Rogan Dawes. But no worries I’m a big fan of Rogan’s work and it’s a honor to be mistaken for him. To answer your question Madhavi I use the syntax below.
java -DWebScarab.lite=false -jar webscarab.jar
Let me know if this works for you
Hey travis
Ya i got it by lot of trial and error from themenu option
Thanks for the reply
bye,
Madhavi