1 / 13

WebScarab-NG: Autumn of Code 2006 Project

WebScarab-NG: Autumn of Code 2006 Project. Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebScarab Project Lead: Rogan Dawes rogan@dawes.za.net. What is WebScarab?.

isabella-paul
Download Presentation

WebScarab-NG: Autumn of Code 2006 Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebScarab-NG:Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebScarab Project Lead: Rogan Dawes rogan@dawes.za.net

  2. What is WebScarab? • A tool for anyone involved with HTTP-based applications (e.g. web applications) • Key features • Full visibility into the HTTP protocol • Ability to modify HTTP requests in any way • Also supports HTTPS (incl client certs) • Persistent audit trail can easily be reviewed • Primary uses • Security analysis, Web Application debugging

  3. Who is writing WebScarab-NG? • Rogan Dawes • rogan@dawes.za.net • Lives in South Africa (Just had his first baby May 3rd (Connor Michael Hastings Dawes), otherwise he’d be here!!) • Has been developing proxy tools for a while • First Mangle (in perl), then Exodus (in Java) • Then WebScarab and now WebScarab-NG • Currently works for Aspect Security

  4. What is wrong with WebScarab? • “Plainly put - WebScarab’s UI is a disaster!” – Rogan Dawes – Author of WebScarab

  5. WebScarab Deficiencies - Summary • UI – Not Intuitive • Expected UI sugar, like “right-click copy and paste menus”, etc. not available • Trying to retro-fit a huge task • Extensive functionality (plugins) intimidating • Close coupling between underlying data model and the presentation layer • 1000s of files WebScarab writes to record a session (even temporary sessions!)

  6. The solution: WebScarab-NG

  7. WebScarab-NG Benefits • Using Spring we get • tons of (Human Interface Guidelines-compliant) stuff, almost without effort • Easy internationalization of text • Automatic “copy and paste” menus • Robust command framework – automatic activation and deactivation of commands when appropriate • Intuitive separation of View from Model/Data Layer • Spring JDBC code also very easy to write

  8. Current WebScarab-NG features • Intercepting Proxy • Intercept and modify HTTP(S) conversations • Manual Request • Modify and replay requests • Flexible perspectives • Eclipse-like • Can choose which views to include • Data written to a local in-process database • Runs using Java Web Start • Automatic updates! • But lots of WebScarab Features not yet ported

  9. WebScarab-NG special features • Proxy control bar • Stays on top • Drop down control of request intercept • Annotate the next conversation to be made • Docking framework • Validation

  10. WebScarab-NG – finding conversations • Select URL(s) to filter conversation list • Filter further by keyword or search (Ctrl-F)

  11. So why use the old WebScarab? • Reliability – extensive testing over 4 years • More features • Web Services support • Transcoder (An encoder / decoder) • Include/Exclude Filters • Reverse proxy • Spider • XSS/CRLF injection tests • Session ID Analysis • Scripting engine • Fuzzer • Advanced Search • SSL Client certificate support

  12. The future of WebScarab (-NG) • Significant new development only on –NG • Unless we get patches  • OWASP Spring of Code 2007 • Implementation of automated testing • Record and replay test cases • Reimplementation of major features • Spider (incl forms!) • Web Services • Reverse Proxy • Improved Session ID analysis • Scripting Engine • Automated identity tracking

  13. Q & Q U E S T I O N S A N S W E R S Questions and Answers A

More Related