Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Published byLaura Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."— Presentation transcript:

1 Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org/ Advanced WebScarab Rogan Dawes, WebScarab project lead Senior Consultant, Deloitte South Africa rdawes@deloitte.co.za +27 82 784 9498

2 OWASP AppSec DC 2005 2 Who am I?  Day job  Senior Consultant, Deloitte South Africa, ERS  Security Assessments  Security Consulting  Night job  Self-taught Java programmer  Exodus  WebScarab

3 OWASP AppSec DC 2005 3 What is WebScarab?  A tool for anyone involved with HTTP-based applications (e.g. web applications)  Key features  Full visibility into the HTTP protocol  Also supports HTTPS (incl client certs)  Persistent audit trail can easily be reviewed  Primary uses  Security analysis  Application debugging

4 OWASP AppSec DC 2005 4 What does WebScarab do?  Allows user to view HTTP(S) conversations between browser and server  Allows user to review those conversations  Allows user to intercept and modify on the fly  Allows user to replay previous requests  Allows user to script conversations with full access to the the request and response object models  And much more!

5 OWASP AppSec DC 2005 5 Obtaining WebScarab  Hosted on Sourceforge  https://sourceforge.net/projects/owasp https://sourceforge.net/projects/owasp  Various package formats  webscarab-installer-.jar  webscarab-selfcontained-.jar  webscarab-src-.jar  Windows IE Integration library  W32WinInet.dll  JavaHelp support

6 OWASP AppSec DC 2005 6 Setting up the environment  Upstream Proxies  Internet Explorer integration - “Get IE settings”  Exclusion list uses IE format  Certificates  PKCS#12 format files  Store password and key password usually identical  Server cert loaded from the.jar  MS CAPI integration coming (IE cert store)  Settings saved in properties file  ${user.home}/WebScarab.properties

7 OWASP AppSec DC 2005 7 Useful Tools  Shared Cookies  List of cookies seen by various plugins  Maintains history of previous cookies  Can add and delete cookies  Can be used by Manual Request and Spider plugins  Transcoder  URL {en,de}code  BASE64 {en,de}code  Hashing

8 OWASP AppSec DC 2005 8 Conversation viewer  Remembers size and placement  Splitpanes allow resizing Request / Response  Different “editors” for various Content-Type  Hex  Text  Image  HTML  XML  URL Encoded  Multi-part

9 OWASP AppSec DC 2005 9 Configuring Proxy Listeners  Listens on 127.0.0.1:8008 by default  Supports multiple listeners if required  “Uses plugins” optional  Internet Explorer Integration  Primary listener hijacks IE proxy settings on startup  Reverse proxy support  For hard-coded applications  Cannot be primary!  Network simulators  Latency and bandwidth

10 OWASP AppSec DC 2005 10 Manual Request  Creating from scratch  Based on previous request via drop-down  Automatic Content-Length adjustment  Only if the header already exists  Change to the “Raw” tab to get new editors  Checks Content-Type header  “Get Cookies” updates from “Shared Cookies”  “Update CookieJar” adds to “Shared Cookies”

11 OWASP AppSec DC 2005 11 Session ID Analysis  Quickly collect a large sample of cookies  Convert String to a (BIG) number  Default Calculator – per position character set  Various calculation algorithms possible  Changing calculators requires recompilation  Table shows calculations and differences  Graph allows visual identification of patterns

12 OWASP AppSec DC 2005 12 Session ID Analysis  Based on previous request from drop-down  Manual editing if necessary (e.g. HEAD vs GET)  Choose location of Session ID, and Name  Regex describes substring to extract  Default regex is (.*)  “Test” to see what is extracted  Specify number of samples

13 OWASP AppSec DC 2005 13 Demonstration  Collecting and graphing sessionids from WebGoat

14 OWASP AppSec DC 2005 14 Scripting support  Proxy beanshell public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException { // your request modifications here response = nextPlugin.fetchResponse(request); // your response modifications here return response; }  Tools -> Script Manager  Plugins export hooks  Framework hook  Proxy hooks

15 OWASP AppSec DC 2005 15 Scripting support continued  Scripted Plugin  Multiple language support via BSF  BeanShell (tested)  Javascript, Jython, Groovy, etc (untested)  Documentation in the source code  ScriptedObjectModel.java  Most useful methods public Request getRequest(int id) public Response fetchResponse(Request request) public ConversationID addConversation(Response response) public void submitAsyncRequest(Request request) public Response getAsyncResponse()

16 OWASP AppSec DC 2005 16 Demonstration  Brute forcing a session ID

17 OWASP AppSec DC 2005 17 New plugins  Fuzzer  Search  Compare  Web Services

18 OWASP AppSec DC 2005 18 Fuzzer  Specify the method, URL and Version  Add any additional headers  Specify the parameters  Location (Path, Fragment, Query, Cookie, Body)  Name  Type (only String)  Value (used if not fuzzing this parameter)  Priority (controls the permutation algorithm)  Fuzz Source (a named list of fuzz strings)  GO!

19 OWASP AppSec DC 2005 19 Creating fuzz sources  Description  File name and location  Internal interface also supports programmatic generation of strings (e.g. length related), but this requires some coding  Fuzzer is extremely stupid  Only stops on errors (400 or exception)  Just hit Start again if it stops

20 OWASP AppSec DC 2005 20 Demonstration  Fuzzing for SQL injection errors

21 OWASP AppSec DC 2005 21 Search plugin  How do we find interesting results then?  Search plugin performs arbitrary matches against conversations  Description  Search expression  E.g: new String(response.getContent()).matches("(?is).*(error|exception).*")  (?is) matches multi-line, case-insensitive

22 OWASP AppSec DC 2005 22 Demonstration  Finding conversations with SQL injection errors

23 OWASP AppSec DC 2005 23 Compare  Compares the body of various responses  Select a baseline to compare against  Conversation list shows the “distance” from baseline (# words)  Can be sorted on any (combination of ) columns  Select a conversation to show both bodies

24 OWASP AppSec DC 2005 24 Web Services  Identifies WSDL in conversations  Can load from a file  Parses WSDL  Parses Schema (complex types!)  Presents Services and Operations  Constructs an Object hierarchy for editing  Converts to SOAP message  Invoke!  Currently RPC/encoded only

25 Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org/ Questions? Rogan Dawes, WebScarab project lead Senior Consultant, Deloitte South Africa rdawes@deloitte.co.za +27 82 784 9498

Download ppt "Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
ADABAS to RDBMS UsingNatQuery. The following session will provide a high-level overview of NatQuerys ability to automatically extract ADABAS data from.

ADABAS to RDBMS UsingNatQuery. The following session will provide a high-level overview of NatQuerys ability to automatically extract ADABAS data from.
Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
AS ICT Finding your way round MS-Access 2007. The Home Ribbon This ribbon is automatically displayed when MS-Access is started and when existing tables.

AS ICT Finding your way round MS-Access The Home Ribbon This ribbon is automatically displayed when MS-Access is started and when existing tables.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.

1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.

Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
1 Web Services Visual C# 2008 Step by Step Chapter 30.

1 Web Services Visual C# 2008 Step by Step Chapter 30.
Esri International User Conference | San Diego, CA Technical Workshops | Managing and Editing Annotation Natalie Vines Samantha Keehan July 14, 2011.

Esri International User Conference | San Diego, CA Technical Workshops | Managing and Editing Annotation Natalie Vines Samantha Keehan July 14, 2011.
Linux Operations and Administration

Linux Operations and Administration

Similar presentations

Ads by Google