Webscarab, an introduction.

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

Enabling Secure Internet Access with ISA Server
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.
REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Lesson 4: Web Browsing.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Peoplesoft: Building and Consuming Web Services
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
DONE-10: Adminserver Survival Tips Brian Bowman Product Manager, Data Management Group.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.
Lecture 15 Introduction to Web Services Web Service Applications.
ArcGIS Server for Administrators
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.
Module 7: Advanced Application and Web Filtering.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Intro to Web Services Dr. John P. Abraham UTPA. What are Web Services? Applications execute across multiple computers on a network.  The machine on which.
MIS Week 5 Site:
Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,
SharkFest ‘16 Computer History Museum June 13-16, 2016 SharkFest ‘16 Markers – Beacons in an Ocean of Packets Matthew York 15th June 2016 Performance &
ArcGIS for Server Security: Advanced
Architecture Review 10/11/2004
Data Virtualization Tutorial… SSL with CIS Web Data Sources
Essential tools for implementing and testing websites
HPE Content manager TO SALEFORCE INTEGRATIONs
SFS-HTTP: Securing the Web with Self-Certifying URLs
Web Application Hacker’s Toolkit
Module 3: Enabling Access to Internet Resources
SECTION 1: Add-ons to PowerPoint
Lesson 6: Configuring Servers for Remote Management
WEB APPLICATION TESTING
What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.
Enabling Secure Internet Access with TMG
Module Overview Installing and Configuring a Network Policy Server
Node.js Express Web Applications
Understanding SOAP and REST calls The types of web service requests
Lesson 4: Web Browsing.
Data Virtualization Community Edition
Logo here Module 3 Microsoft Azure Web App. Logo here Module Overview Introduction to App Service Overview of Web Apps Hosting Web Applications in Azure.
Web Caching? Web Caching:.
NSE4-5.4 Dumps
Welcome To : Group 1 VC Presentation
Hybrid Search Technical Guidance.
Configuring Internet-related services
Lesson 4: Web Browsing.
Tools to Show Effects of Different Download Order
Securing web applications Externally
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Webscarab, an introduction. Philippe Bogaerts Bee-ware philippe.bogaerts@radarhack.com

Who am I? During the day During the night Technical manager at Bee-ware http://www.bee-ware.net During the night Trying to acquire a good understanding of network security web application and web services security Pen-testing 2

Why am I here ? A good opportunity to hear people talking about applications and the related security implications. To better understand how applications work and how they are developed. WebScarab is simply a great tool that gave me ‘the’ better understanding of HTTP and HTTP-based applications.

WebScarab acts as a proxy between a client and an application What is WebScarab? A java based tool Security analysis Application debugging WebScarab acts as a proxy between a client and an application browsers accessing a web application a client application accessing a web service …

What can you do with WebScarab? Allows user to view HTTP(S) conversations between browser and server Allows user to review those conversations Allows user to intercept and modify on the fly Allows user to replay previous requests Allows user to script conversations with full access to the the request and response object models And much more!

Obtaining WebScarab More information Hosted on Sourceforge http://www.owasp.org/software/webscarab.html Hosted on Sourceforge http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61823 Documentation http://dawes.za.net/rogan/webscarab/docs/ Mailinglist http://lists.sourceforge.net/lists/listinfo/owasp-webscarab

Various package formats Installing WebScarab Various package formats webscarab-installer-<date>.jar java -jar webscarab-selfcontained-20051017-2127.jar webscarab-selfcontained-<date>.jar webscarab-src-<date>.jar Beta version available via mailinglist Beta version will be discussed during presentation

What is new in the beta version? More extensive certificate support Pkcs#12 Pkcs#11 CAPI (to come) Credential support Automatic learning of credentials Automated insertion of credentials Extensions module

Setting up the environment Application and WS can be installed on same workstations Application is configured to connects to WS at 127.0.0.1:8008 by default Application and WS can be installed on different machines

Configuring WebScarab Multiple instances of reverse proxies Proxy Button WS can use upstream proxies Ex. A Web Application Firewall under test Tools -> Proxies

WebScarab is ready to capture traffic Summary window displays in real-time all traffic passing through.

Credential caching/learning When an application requires authentication, WS will popup to learn the credentials. Credentials will be automatically inserted. Basic authentication NTLM authentication

Is this useful ? Authenticated (w/o WS) Un-authenticated Authenticated Any tool not supporting authentication can now be used to access the application in authenticated domains ! Ex. nc, web service invocation tools … but also build in features such as manual crafted requests, the spider and extension module

SSL support <- Server certificate (w/o WS) <- Server certificate <- WS certificate <- Server certificate

SSL and client certificate support SSL with client certificate (w/o WS) SSL SSL with client certificate Certificates can be imported via the certificate manager in following formats: Pkcs#12 Pkcs#11 (smartcard support) CAPI (road mapped)

Shared Cookies plug-in WS will automatically record all cookies seen by other WS plug-ins. cookies re-use in Spider Manual request

Manual Request plug-in Previous request can be modified New requests can be build from scratch Shared credential are taken into account! Shared cookies can be reused use !

Demo Demo 1 Demo 2 Accessing a protected resource via netcat Accessing a protected resource via shared cookies

Spider plug-in The Spider plug-in analyses responses to identify any links in the response body, or the "Location" header. If the URL represented has not been seen, the URL is added to a tree, and can be automatically downloaded when desired. Remark: After a URL has been fetch, it is added to the Summary pane and disappears from the spider pane !

Extension plug-in The Extension plug-in uses the Extensions tree to brute-forces a set of file extensions.

Web Services Description Language Web Services plug-in Web Services Description Language Detection of WSDL file in conversations Manual import of WSDL file Automatic parsing of services Invocation tool A nice tool in combination with webscarab is http://www.soapui.org/

Demo Demo 1 Demo 2 Checking out the Amazon web services API WebScarab invocation tool SOAP UI via WebScarab

Other features Search Compare Fragments Scripted SessionID Analysis

Other products Paros Achilles Spike Burp suite IEWatch http://www.paros.org Achilles http://achilles.mavensecurity.com/ Spike Burp suite IEWatch

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.