Presentation is loading. Please wait.

Presentation is loading. Please wait.

Webscarab, an introduction.

Published byRosario Murillo Núñez Modified over 5 years ago

Similar presentations

Presentation on theme: "Webscarab, an introduction."— Presentation transcript:

1 Webscarab, an introduction.
Philippe Bogaerts Bee-ware

2 Who am I? During the day During the night
Technical manager at Bee-ware During the night Trying to acquire a good understanding of network security web application and web services security Pen-testing 2

3 Why am I here ? A good opportunity to hear people talking about applications and the related security implications. To better understand how applications work and how they are developed. WebScarab is simply a great tool that gave me ‘the’ better understanding of HTTP and HTTP-based applications.

4 WebScarab acts as a proxy between a client and an application
What is WebScarab? A java based tool Security analysis Application debugging WebScarab acts as a proxy between a client and an application browsers accessing a web application a client application accessing a web service

5 What can you do with WebScarab?
Allows user to view HTTP(S) conversations between browser and server Allows user to review those conversations Allows user to intercept and modify on the fly Allows user to replay previous requests Allows user to script conversations with full access to the the request and response object models And much more!

6 Obtaining WebScarab More information Hosted on Sourceforge
Hosted on Sourceforge Documentation Mailinglist

7 Various package formats
Installing WebScarab Various package formats webscarab-installer-<date>.jar java -jar webscarab-selfcontained jar webscarab-selfcontained-<date>.jar webscarab-src-<date>.jar Beta version available via mailinglist Beta version will be discussed during presentation

8 What is new in the beta version?
More extensive certificate support Pkcs#12 Pkcs#11 CAPI (to come) Credential support Automatic learning of credentials Automated insertion of credentials Extensions module

9 Setting up the environment
Application and WS can be installed on same workstations Application is configured to connects to WS at :8008 by default Application and WS can be installed on different machines

10 Configuring WebScarab
Multiple instances of reverse proxies Proxy Button WS can use upstream proxies Ex. A Web Application Firewall under test Tools -> Proxies

11 WebScarab is ready to capture traffic
Summary window displays in real-time all traffic passing through.

12 Credential caching/learning
When an application requires authentication, WS will popup to learn the credentials. Credentials will be automatically inserted. Basic authentication NTLM authentication

13 Is this useful ? Authenticated (w/o WS)
Un-authenticated Authenticated Any tool not supporting authentication can now be used to access the application in authenticated domains ! Ex. nc, web service invocation tools … but also build in features such as manual crafted requests, the spider and extension module

14 SSL support <- Server certificate (w/o WS) <- Server certificate
<- WS certificate <- Server certificate

15 SSL and client certificate support
SSL with client certificate (w/o WS) SSL SSL with client certificate Certificates can be imported via the certificate manager in following formats: Pkcs#12 Pkcs#11 (smartcard support) CAPI (road mapped)

16 Shared Cookies plug-in
WS will automatically record all cookies seen by other WS plug-ins. cookies re-use in Spider Manual request

17 Manual Request plug-in
Previous request can be modified New requests can be build from scratch Shared credential are taken into account! Shared cookies can be reused use !

18 Demo Demo 1 Demo 2 Accessing a protected resource via netcat
Accessing a protected resource via shared cookies

19 Spider plug-in The Spider plug-in analyses responses to identify any links in the response body, or the "Location" header. If the URL represented has not been seen, the URL is added to a tree, and can be automatically downloaded when desired. Remark: After a URL has been fetch, it is added to the Summary pane and disappears from the spider pane !

20 Extension plug-in The Extension plug-in uses the Extensions tree to brute-forces a set of file extensions.

21 Web Services Description Language
Web Services plug-in Web Services Description Language Detection of WSDL file in conversations Manual import of WSDL file Automatic parsing of services Invocation tool A nice tool in combination with webscarab is

22 Demo Demo 1 Demo 2 Checking out the Amazon web services API
WebScarab invocation tool SOAP UI via WebScarab

23 Other features Search Compare Fragments Scripted SessionID Analysis

24 Other products Paros Achilles Spike Burp suite IEWatch
Achilles Spike Burp suite IEWatch

25 Thank You

Download ppt "Webscarab, an introduction."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.

By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.
REST support for B2B access to your AppServer PUG Challenge Americas - 2014 Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.

REST support for B2B access to your AppServer PUG Challenge Americas Michael Jacobs : Senior Software Architect Edsel Garcia : Principal Software.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.

Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 8: Implementing and Managing Printers.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Similar presentations

Ads by Google