Comments on: Webscarab Tutorial Part 3 (fuzzing) http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/ Thu, 02 Feb 2012 10:51:40 +0000 hourly 1 http://wordpress.org/?v=3.3 By: MAFRI http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-993 MAFRI Wed, 05 Oct 2011 22:22:42 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-993 <strong>mafri...</strong> [...]» Blog Archive » Webscarab Tutorial Part 3 (fuzzing)[...]... mafri…

[...]» Blog Archive » Webscarab Tutorial Part 3 (fuzzing)[...]…

]]> By: KiranKumar Pedda http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-745 KiranKumar Pedda Fri, 04 Dec 2009 03:46:15 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-745 This site rocks... This site rocks…

]]> By: Mohamed http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-715 Mohamed Tue, 20 Oct 2009 10:57:17 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-715 Thank you Travis Thank you Travis

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-714 travis Mon, 19 Oct 2009 11:07:38 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-714 mohamed, not all web applications use the "location" field in their headers. it just so happens the example i used does. when looking to see if the sql injection was successful it's better to look in the body of the response (aka the very bottom pane in webscarab). if you see any errors or something that looks out of place then you may be able to perform sql injection. it's not an exact science but be on the look out for a response that is abnormal. does that answer your question? mohamed,

not all web applications use the “location” field in their headers. it just so happens the example i used does. when looking to see if the sql injection was successful it’s better to look in the body of the response (aka the very bottom pane in webscarab). if you see any errors or something that looks out of place then you may be able to perform sql injection. it’s not an exact science but be on the look out for a response that is abnormal. does that answer your question?

]]> By: Mohamed http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-713 Mohamed Mon, 19 Oct 2009 09:39:51 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-713 I added sql dictionary and started scanning then I went to conversations to check if the expression will take me to another page, I didn't found "Location" :( I added sql dictionary and started scanning then I went to conversations to check if the expression will take me to another page, I didn’t found “Location” :(

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-712 travis Mon, 19 Oct 2009 08:27:34 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-712 mohamed, are you saying there's no "location" in the header of the response? mohamed,

are you saying there’s no “location” in the header of the response?

]]> By: Mohamed http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-709 Mohamed Sun, 18 Oct 2009 15:24:59 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-709 Hi Travis I work on OWASP livecd Austin terrier Feb2009. When I tried webscarab as a sql scanner I didn't found the entry of Location please replay ASAP thanks in advance Hi Travis
I work on OWASP livecd Austin terrier Feb2009. When I tried webscarab as a sql scanner I didn’t found the entry of Location
please replay ASAP
thanks in advance

]]> By: Harjeet http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-655 Harjeet Tue, 09 Jun 2009 14:37:01 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-655 Hi Travis I am not getting any pop up window on security certificate for my application. Even though I clicked Intercept botton ON/OFF.Can you pls tell me wat to do? Thanks Harjeet Hi Travis

I am not getting any pop up window on security certificate for my application. Even though I clicked Intercept botton ON/OFF.Can you pls tell me wat to do?

Thanks
Harjeet

]]> By: travis http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-654 travis Tue, 09 Jun 2009 13:22:06 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-654 harjeet, that's somewhat of a general error but the first error is complaining about ssl, have you accepted the certificate so that webscarab can man in the middle the ssl traffic? you should click yes / accept to this certificate. below is a screen shot link to accepting a certificate. http://www.dental.ufl.edu/IT/images/netstorage_accept_cert.jpg harjeet,

that’s somewhat of a general error but the first error is complaining about ssl, have you accepted the certificate so that webscarab can man in the middle the ssl traffic? you should click yes / accept to this certificate. below is a screen shot link to accepting a certificate.

http://www.dental.ufl.edu/IT/images/netstorage_accept_cert.jpg

]]> By: Harjeet http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/comment-page-1/#comment-653 Harjeet Tue, 09 Jun 2009 09:03:55 +0000 http://travisaltman.com/webscarab-tutorial-part-3-fuzzing/#comment-653 Hi Travis, I was Testing an application through Webscarab in remote login which was deployed in "http://training:8080/xyz/" but unable to test. On running the Web scarab i got following errors: WebScarab encountered an error trying to retrieve GET https://training:8080/daytrader/ HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, */* Accept-Language: en-us UA-CPU: x86 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: training:8080 The error was : Unrecognized SSL message, plaintext connection? at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(Unknown Source) at java.io.BufferedOutputStream.flush(Unknown Source) at org.owasp.webscarab.model.Request.writeDirect(Request.java:233) at org.owasp.webscarab.model.Request.writeDirect(Request.java:214) at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:241) at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130) at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101) at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100) at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229) at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243) at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:223) at java.lang.Thread.run(Unknown Source) Could you pls help me to solve my problem or any other site where i can post my problem. Thanks Harjeet Hi Travis,

I was Testing an application through Webscarab in remote login which was deployed in “http://training:8080/xyz/” but unable to test.

On running the Web scarab i got following errors:

WebScarab encountered an error trying to retrieve

GET https://training:8080/daytrader/ HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: training:8080

The error was :

Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:233)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:214)
at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:241)
at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:223)
at java.lang.Thread.run(Unknown Source)

Could you pls help me to solve my problem or any other site where i can post my problem.

Thanks

Harjeet

]]>