WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Webscarab how to?

From: <PPowenski () oag com>
Date: Mon, 3 Jul 2006 15:34:10 +0100
"only FREE tool"

Paros
Spike




-----Original Message-----
From: mr.nasty () ix netcom com [mailto:mr.nasty () ix netcom com] 
Sent: 03 July 2006 15:01
To: webappsec () securityfocus com
Subject: Re: Re: Webscarab how to?


Thanks for the info.  I had seen some of these posts and was hoping to
start something of a users discussion about WebScarab since it appears
to be the only FREE tool out there that performs web application
vulnerability analysis.


I know I'm asking a lot but I think briefing like a how to say set up a
fuzzer;


EXAMPLE:

After setting up the proxy and viewing a conversation, select and right
click a conversation ID.  Select "Use a Fuzz Template" and click on
Fuzzer.


The conversation appears.


What are some of the changes you can make to the;

1) Method

2) URL

3) Header (info)

4) Value

5) Parameters

   a) Location

   b) Name

   c) Type

   d) Value

   e) Priotiy

   f) *Fuzz Source

      *Using the "Fuzz Source" click on "Sources" at the bottom of
Parameters.  This should open a "Fuzz Sources" dialog box.


I created a .txt file using upper and lower case letters, all numbers
0-9, and other characters one line each.  I put the file in the
webscarab/scripts directory and called it ascii.txt.  I browsed to the
file and added the file and received the following;


ava.lang.NullPointerException

        at java.util.TreeMap.compare(Unknown Source)

        at java.util.TreeMap.getEntry(Unknown Source)

        at java.util.TreeMap.get(Unknown Source)

        at
org.owasp.webscarab.plugin.fuzz.FuzzFactory.getSource(FuzzFactory.java:7
0)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$ParameterTableModel.se
tValueAt(FuzzerPanel.java:1119)

        at javax.swing.JTable.setValueAt(Unknown Source)

        at javax.swing.JTable.editingStopped(Unknown Source)

        at javax.swing.AbstractCellEditor.fireEditingStopped(Unknown
Source)

        at
javax.swing.DefaultCellEditor$EditorDelegate.stopCellEditing(Unknown
Source)

        at javax.swing.DefaultCellEditor$3.stopCellEditing(Unknown
Source)

        at javax.swing.DefaultCellEditor.stopCellEditing(Unknown Source)

        at
javax.swing.DefaultCellEditor$EditorDelegate.actionPerformed(Unknown
Source)

        at javax.swing.JComboBox.fireActionEvent(Unknown Source)

        at javax.swing.JComboBox.contentsChanged(Unknown Source)

        at javax.swing.JComboBox.intervalRemoved(Unknown Source)

        at javax.swing.AbstractListModel.fireIntervalRemoved(Unknown
Source)

        at javax.swing.DefaultComboBoxModel.removeAllElements(Unknown
Source)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.updateFields(FuzzerPan
el.java:216)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$2500(FuzzerPane
l.java:93)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$18.run(FuzzerPanel.jav
a:953)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.runOnEDT(Fuzz
erPanel.java:1015)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$Listener.propertyChang
e(FuzzerPanel.java:956)

        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown
Source)

        at java.beans.PropertyChangeSupport.firePropertyChange(Unknown
Source)

        at
org.owasp.webscarab.plugin.fuzz.FuzzFactory.addSource(FuzzFactory.java:4
8)

        at
org.owasp.webscarab.plugin.fuzz.FuzzFactory.loadFuzzStrings(FuzzFactory.
java:56)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.addButtonActionPerform
ed(FuzzerPanel.java:791)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel.access$1100(FuzzerPane
l.java:93)

        at
org.owasp.webscarab.plugin.fuzz.swing.FuzzerPanel$5.actionPerformed(Fuzz
erPanel.java:417)

        at javax.swing.AbstractButton.fireActionPerformed(Unknown
Source)

        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown
Source)

        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown
Source)

        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)

        at
javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)

        at java.awt.Component.processMouseEvent(Unknown Source)

        at javax.swing.JComponent.processMouseEvent(Unknown Source)

        at java.awt.Component.processEvent(Unknown Source)

        at java.awt.Container.processEvent(Unknown Source)

        at java.awt.Component.dispatchEventImpl(Unknown Source)

        at java.awt.Container.dispatchEventImpl(Unknown Source)

        at java.awt.Component.dispatchEvent(Unknown Source)

        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown
Source)

        at java.awt.LightweightDispatcher.processMouseEvent(Unknown
Source)

        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)

        at java.awt.Container.dispatchEventImpl(Unknown Source)

        at java.awt.Window.dispatchEventImpl(Unknown Source)

        at java.awt.Component.dispatchEvent(Unknown Source)

        at java.awt.EventQueue.dispatchEvent(Unknown Source)

        at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown
Source)

        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown
Source)

        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)

        at java.awt.EventDispatchThread.run(Unknown Source)


The re-clicked "Source" and added the ascii.txt file again and then
selected the Fuzz Source drop down menu and selected ascii.txt.


The bottom left indicates "Started" with 8.18/63.56.  Not exactly sure
what that means.


But I think we could set up a presentation for just about the entire
webscarab thing for setting up or using "WebServices, Manual Requests,
Spider, Extensions etc."


I'm willing to help with whatever I can do.


Thanks

------------------------------------------------------------------------
-
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically

comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: