Comments on: Webscarab Tutorial Part 2 (sessiond ID analysis)

By: Gamer

Gamer — Mon, 19 Dec 2011 12:16:56 +0000

hey thanks yo.. nice to read this ..

By: online games

online games — Wed, 29 Jun 2011 12:50:05 +0000

Your style is great

By: travis

travis — Fri, 18 Feb 2011 01:12:06 +0000

prabu, for the gmail problem it's probably the ssl certificate, you'll need to accept the certificate to enter sites that have ssl, an example of what that looks like is here. Once the edit request box comes up you can check the box up top to not intercept requests or responses. Hope that answers your question or solves your problem, let me know.

By: prabu

prabu — Wed, 16 Feb 2011 10:25:30 +0000

Hi travis,

I am using the webscarab first time. I done the connection settings as per you tutiorial 1. Now I am unable login in gmail or yahoomail. But i am able to open google.com or travisaltman.com. could you help me how to resolve it. Moreover if i enter in new website webscarab shows the edit request window. Wheteher it is possilbe to set it automatically to accept changes .

By: Arvind

Arvind — Thu, 03 Jun 2010 06:41:20 +0000

Thanks for this tutorial. The problem in this case is that a session ID is generated on the login page itself and used inside the application as well. So I want to test the strength of this generated session ID. Now Webscarab captures and analyzes etc no problem , except that the session ID always remains the same for all the requests generated. Testing manually and refreshing the page clearly shows that the session ID DOES indeed change for every request, so why does Webscarab “fetch” with the session ID all the time? There’s no LOGOUT here, so I closed the browser itself – but that didn’t help as expected. Any ideas?

By: travis

travis — Mon, 03 Aug 2009 09:38:40 +0000

zach,

glad the article helped, i write these articles as a reference for myself and the students i teach but i’m always glad to see they help others.

By: Zach

Zach — Mon, 27 Jul 2009 09:01:01 +0000

Great article! I was having problems with my web application not generating a new ID every time I connected. What I did is take the cookies (in my case CFID and CFTOKEN) that store session state. Go (in webscarab) Tools –> Shared Cookies and I set the values of both to nothing. Then I went: Proxy –> Miscellaneous and checked the ‘Inject known cookies into requests’. This got the server to create a new session every time I connect.

By: Harjeet

Harjeet — Tue, 16 Jun 2009 06:08:16 +0000

Hi Travis

My 1st Prob is:

I had deployed a Web Goat in to my local machine.
http://localalhost/WebGoat/attack. I am able to Access it. But when i am accessing the same WebGoat Application in different system which is same domain as (http://160.110.233.88/WebGoat/attack) i am not able to access the WebGoat Application.160.110.233.88 is IP of my local system. How can i access Webgoat in different machine?

My 2nd problem is:

When i am running WebGoat in my local system I set proxy as Localhost & port is 80 it runs fine. Now when i run Webscarab it runs on 8008 port. how can i run both Webgoat as well as Webscarab simaltaneosuly as Webgot runs on port 80 & WebScarab runs on port8008.

Help me to solve my problem.

Thanks
Harjeet

By: travis

travis — Mon, 01 Jun 2009 17:35:55 +0000

harjeet,

without the source code checking for SQLi and XSS will be the same no matter what language you’re working in (asp, jsp, php). if you have the source code then things are different. abysssec.com has a great article on checking for typical vulnerabilities within php, go check it out.

http://www.abysssec.com/blog/2009/03/php_fuzz_audit/

By: Harjeet

Harjeet — Mon, 01 Jun 2009 07:03:17 +0000

Hi Travis,

How to check the SQLi & XSS in php applications using Webscarab or Do you have any other tools to test php applications.

Thanks

Harjeet