Webscarab – A Beginner’s Guide

A HTTP proxy can help you analyse the data that is sent back and forth between your browser and the websites you visit. It sits between your browser and the website you are visiting and it will hand you all the information that the browser is sending to the website. You have the option to even change the data that is being sent.

 

 

This means that all client side validation of user input can be rendered useless as the HTTP proxy comes into the picture only after the client side validation is done.

 

Consider that you are signing up for an account on a website. There are checks in place which ensure that you have entered a username which consists of only alpha-numerics and lets say an underscore. So, when you try to enter a user name like ‘i.am.noddy’ you are immediately told (probably as soon as you navigate out of the username field) that you should enter something like ‘i_am_noddy’. So you go ahead and enter the username ‘i_am_noddy’. You fill in all the other fields required to finish the sign-up process and click on the ‘Submit’ button. Now, the browser tries to send all your information to the website. But since our HTTP proxy – webscarab is the one we are going to check out today – is setup to intercept all traffic, the browser gives all the information it was going to send to the website to webscarab. You could now change your username to ‘i.a.noddy’ and if the website does not have server side validation, you would have a user name that the web application designers did not want you to have.

 

You could also do other things like change the values of cookies to see how it affects the behaviour of the web application. You could determine which cookie is being used as a session ID (you could try this on gmail.com). You could even remove some cookies and see how the website behaves. You could change the HTTP methods (GET to POST and vice-versa). You can use the HTTP method PUT to see if you are able to write to a directory on a website.

 

We will look at Webscarab though there are others like Paros Proxy & BurpSuite. The Firefox add-on Tamper Data provides a similar functionality.

 

Webscarab is a framework for analysing applications that communicate using HTTP and HTTPS protocols.
Webscarab can do many things besides acting as an intercepting proxy. For eg. it can act like a fuzzer which can take it’s input from a file or even a regular expression.

 

Let us now see how to setup and use Webscarab as an intercepting proxy. Webscarab needs a JRE; so, make sure you have that installed too. Webscarab runs on port 8008 by default. So, configure your browser to use Webscarab as the proxy server.

 

In firefox under Windows, you can find the proxy settings in Tools -> Options -> Advanced -> Network -> Connection -> Settings. In Internet Explorer, you can find the proxy settings in Tools -> Internet Options -> Connections -> LAN Settings -> Proxy Settings

 

In order to be able to use Webscarab from within a LAN setup which already has a proxy server running, you need to point webscarab to your LAN proxy; this is called chaining a proxy. Select the Tools menu option and then choose the Proxy option. Here you need to set the IP address of your LAN proxy server and the port on which it runs.

 

Chaining a Proxy
Chaining a Proxy

 

If you want to intercept the data that is being sent to the web application, do the following. Select the Proxy tab and then the Manual Edit tab. Click on the ‘Intercept requests’ checkbox and if you want to intercept the server response, also click on the ‘Intercept responses’ checkbox.

 

Set up an intercept
Set up an intercept

 

You will now be able to view all the variables that are being sent back and forth between the browser and the web server. Now when you browse a website, the complete request will be presented to you where you can edit any of the parameters. You could edit the method, the URL, the headers and the post data. The top pane consists of the HTTP headers and the bottom pane is the HTTP post data. Click on the ‘Accept changes’ button after you have made your changes.

 

An intercepted request
An intercepted request

 

The response of the server to the above request is given below.

 

An intercepted response
An intercepted response

Comments are closed.