Difference between revisions of "OWASP WebScarab NG Project"

From OWASP
Jump to: navigation, search
m (Added 'OWASP Breakers' tag)
 
(18 intermediate revisions by 6 users not shown)
Line 1: Line 1:
'''Welcome to the WebScarab (Next Generation) Project'''
+
{{OWASP Breakers}}
 +
==== Main  ====
  
WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the [http://spring-rich-c.sourceforge.net/ Spring Rich Client Platform ] to provide the user interface features. By using the Spring Rich Client Platform, WebScarab-NG automatically gains things like default buttons, keyboard shortcuts, support for internationalisation, etc.
+
{{:OWASP_WebScarab_NG_Project_Summary}}
 
+
Another new feature is that session information is now written into a database, rather than into hundreds or thousands of individual files. This makes disk space utilisation and things like archiving of sessions a lot easier.
+
 
+
Ultimately, WebScarab-NG will have all the significant functionality that the old WebScarab had, although it will be reorganised quite significantly, in order to make the application more user friendly.
+
  
 
==New User Interface==
 
==New User Interface==
Line 35: Line 32:
 
==Obtaining WebScarab-NG==
 
==Obtaining WebScarab-NG==
  
WebScarab-NG is distributed via Java WebStart, and can be obtained [http://dawes.za.net/rogan/webscarab-ng/webstart/WebScarab-ng.jnlp here].
+
WebScarab-NG is distributed via Google Code, and can be obtained [https://code.google.com/p/webscarab-ng/downloads/list here].
  
A major benefit of using Java WebStart is that users will automatically receive new versions of WebScarab-Ng as they are made available, since WebStart checks to see if a new version is available each time it is run. Of course, if it is run with no access to the Internet, it will still run.
+
After extraction of files user need to run following command:
 +
java -jar WebScarab-ng-X.X.X.one-jar.jar
 +
where X.X.X is downloaded version or use one of scripts (start.sh for Linux, start.bat for Windows).  
  
Note: there is an issue with signing the application and Java web start if you are using Java 1.6.
+
==Technical information==
We are investigating the solution. In the meantime, you can still use WebScarab NG with an older
+
version of Java (without messing up your system).
+
 
+
  "set PATH="c:\Program Files\Java\jdk1.5.0_06\bin" or whatever
+
  "javaws http://dawes.za.net/rogan/webscarab-ng/webstart/WebScarab-ng.jnlp
+
  
Depending on demand, once WebScarab NG matures, it will also be made available for offline installation.
+
Technical information for those interested in digging into it can be found [[ OWASP WebScarab NG Project Technical Info | here]].
  
For information about what changes have been made, please see [http://dawes.za.net/gitweb.cgi?p=dawes.za.net/rogan/webscarab/webscarab-ng.git;a=summary the GIT repository]
+
This page lists the [[OWASP_WebScarab_Differences_%28Classic_vs_NG%29 | differences between WebScarab Classic and WebScarab NG]], including a ToDo list of work still to be done on WebScarab NG.
  
==Technical information==
+
==Tips & Tricks==
 +
 
 +
WebScarab NG already contains a lot of functionality but some of them are well hidden beneath the GUI and nowhere documented.
 +
A list of such functions can be found in the [[OWASP_WebScarab_NG_Tips_&_Tricks|Tips & Tricks of WebScarab NG]] section.
 +
 
 +
==Bugs==
  
Technical information for those interested in digging into it can be found [[ OWASP WebScarab NG Project Technical Info | here]]
+
Any found bugs should be reported via [https://code.google.com/p/webscarab-ng/issues/list WebScarab NG Google Code issues page]. Such mechanism allows us to keep track of all found problems so we can WebScarab-NG better.
  
 
==Feedback==
 
==Feedback==
  
If you have any comments or suggestions for WebScarab-NG, please feel free to send them to the [http://lists.owasp.org/mailman/listinfo/owasp-webscarab OWASP WebScarab mailing list]
+
If you have any comments or suggestions for WebScarab-NG, please feel free to post them on [https://code.google.com/p/webscarab-ng/issues/list WebScarab NG Google Code issues page] or send them to the [http://lists.owasp.org/mailman/listinfo/owasp-webscarab OWASP WebScarab mailing list]
  
 
Your feedback is much appreciated, and will be carefully considered for future releases of WebScarab-NG.
 
Your feedback is much appreciated, and will be carefully considered for future releases of WebScarab-NG.
Line 62: Line 61:
 
==Project Contributors==
 
==Project Contributors==
  
The WebScarab-NG project is run by Rogan Dawes of Aspect Security. He can be contacted at rogan AT dawes.za.net
+
The WebScarab-NG project is run by Daniel Brzozowski. He can be contacted at [[File:Db.png]].
 +
 
 +
==== Project About ====
 +
{{:Projects/OWASP WebScarab NG Project | Project About}}
 +
 
 +
__NOTOC__ <headertabs />
 +
 
 +
 
  
[[Category:OWASP Project]]
+
[[Category:OWASP_Project|WebScarab NG Project]]
[[Category:OWASP Tool]]
+
[[Category:OWASP_Tool]]
[[Category:OWASP Download]]
+
[[Category:OWASP_Download]]
[[Category:OWASP WebScarab Project]]
+
[[Category:OWASP_Alpha_Quality_Tool]]

Latest revision as of 20:56, 17 September 2013

This project is part of the OWASP Breakers community.
Feel free to browse other projects within the Defenders, Builders, and Breakers communities.

Main

Welcome to the WebScarab (Next Generation) Project

WebScarab-NG logo

WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform to provide the user interface features. By using the Spring Rich Client Platform, WebScarab-NG automatically gains things like default buttons, keyboard shortcuts, support for internationalisation, etc.

Another new feature is that session information is now written into a database, rather than into hundreds or thousands of individual files. This makes disk space utilisation and things like archiving of sessions a lot easier.

Ultimately, WebScarab-NG will have all the significant functionality that the old WebScarab had, although it will be reorganised quite significantly, in order to make the application more user friendly.

New User Interface

As mentioned above, the user interface has changed quite a lot from the old WebScarab. Apart from the new default Look&Feel (JGoodies), you will see that the conversation viewer has changed quite a lot. The old "Raw" view is still there, but the Parsed version has changed quite dramatically - for the better, I hope you'll agree!

The Parsed view now shows the request and response details in a tree form, rather than in individual text boxes. This makes the interface look a lot cleaner, and more importantly, is a lot more compact. It also makes it a lot easier to include features like automatically breaking out URL parameters, and multiple cookies into their own nodes, where it is a lot easier to view the individual parameters. We also show the request and the response next to each other, rather than one above the other, since most people seem to have more horizontal real-estate than vertical. The split between request and response can easily be adjusted by dragging, as can the split between the headers and the message content.

WebScarab-NG-default.png

Current status

At this stage, WebScarab-NG primary feature is the intercepting proxy that allows the operator to observe and modify requests from a browser or other client passing through the proxy. A new feature is the Proxy Control Bar, which is implemented as a "stays on top" tool bar that floats above your browser or other thick client, and allows you to quickly enable or disable request intercepts. It also allows you to annotate or describe the requests as they pass through the proxy. If you type some text into the annotation field, that text will be linked to the next conversation that passes through the proxy, and can later be viewed as part of the conversation history. this can be very helpful to keep track of what you were doing in a multi-step procedure.

For example: Selecting a menu item, entering a value, submitting that value, etc. Often sites are built in such a way that they can result in dozens of conversations resulting from a single action. Annotating that conversation that initiated all the rest makes it very easy to identify them at a later stage.

WebScarab-NG-proxy-control-bar.png

Error feedback

One of the neat features provided by the Spring Rich Client Platform is the ability to check that the inputs actually make sense, and to provide automated "as you type" feedback to the user.

For example, look at the "Intercept Request" window:

WebScarab-NG-intercept-request-error.png

We can see that the user tried to change the method from "POST" to "PROST". WebScarab-NG has no idea how to execute a "PROST" method, and so provides an error message to inform the user. Additionally, the OK button is automatically disabled, until the error is corrected.

Obtaining WebScarab-NG

WebScarab-NG is distributed via Google Code, and can be obtained here.

After extraction of files user need to run following command:

java -jar WebScarab-ng-X.X.X.one-jar.jar

where X.X.X is downloaded version or use one of scripts (start.sh for Linux, start.bat for Windows).

Technical information

Technical information for those interested in digging into it can be found here.

This page lists the differences between WebScarab Classic and WebScarab NG, including a ToDo list of work still to be done on WebScarab NG.

Tips & Tricks

WebScarab NG already contains a lot of functionality but some of them are well hidden beneath the GUI and nowhere documented. A list of such functions can be found in the Tips & Tricks of WebScarab NG section.

Bugs

Any found bugs should be reported via WebScarab NG Google Code issues page. Such mechanism allows us to keep track of all found problems so we can WebScarab-NG better.

Feedback

If you have any comments or suggestions for WebScarab-NG, please feel free to post them on WebScarab NG Google Code issues page or send them to the OWASP WebScarab mailing list

Your feedback is much appreciated, and will be carefully considered for future releases of WebScarab-NG.

Project Contributors

The WebScarab-NG project is run by Daniel Brzozowski. He can be contacted at Db.png.

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP WebScarab NG Project (home page)
Purpose:
  • WebScarab NG is a robust tool that assists the user in penetration test. This is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly.
License: GNU General Public License v2
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
WebScarab-Ng-0.2.1 - 22 January 2011 - (download)
Release description:
  • Version 0.2.1 with spider functionality - jar with run scripts.
  • New functionality:
    • cookie manager
    • manual spider
    • pider plugin with:
      • automatic discovery
      • integration with cookie manager
      • automatic form submission
      • flexibility to define request headers
      • integration with proxy and websitemap
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases