This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP WebScarab Differences (Classic vs NG)"
RoganDawes (talk | contribs) (New page: '''This page is intended to document the differences between WebScarab Classic and WebScarab Next Generation''' The objective is to list the major features that one has over the other, wi...) |
RoganDawes (talk | contribs) (→Framework functionality) |
||
Line 5: | Line 5: | ||
==Framework functionality== | ==Framework functionality== | ||
− | NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. | + | NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. This could/should be replaced by an Identity module, which can provide the most current identifiers for a particular identity (cookies, Basic auth, etc). |
NG does not yet have the Transcoder functionality. | NG does not yet have the Transcoder functionality. |
Revision as of 08:09, 8 January 2008
This page is intended to document the differences between WebScarab Classic and WebScarab Next Generation
The objective is to list the major features that one has over the other, with the intent to track the porting of desirable features from Classic to NG.
Framework functionality
NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. This could/should be replaced by an Identity module, which can provide the most current identifiers for a particular identity (cookies, Basic auth, etc).
NG does not yet have the Transcoder functionality.
Plugins
NG has significantly fewer plugins than Classic. The only plugins currently implemented in NG are the Proxy and Manual Request plugins.
Some features of the Proxy plugin remain to be ported:
- Ability to specify regexes for URL's (not) to be intercepted
- Ability to specify a regex for conversations that should not be stored
- BeanShell scripts for programmatic modification of requests/responses
- Miscellaneous proxy plugins - Reveal hidden fields, prevent caching of responses
- Ability to modify Internet Explorer proxy settings automatically on startup and exit
Some features of the Manual Request plugin remain to be ported:
- Ability to convert a request from a GET to a POST or multipart POST, and vice versa.
This leaves the following plugins to be implemented:
- Spider
- Extensions
- XSSCRLF
- SessionIDAnalysis
- Scripting
- Fragments
- Compare
- Search
Porting of the WebServices plugin to NG is in progress.
Porting suggestions
For people interested in contributing to this project by porting one of the above plugins, here are some suggestions:
- SessionID analysis
The current session id analysis plugin, while looking cool is actually very misleading. Anyone wanting to implement this feature for NG would be advised to take a look at Michal Zalewski's stompy to see how it can be done better.
- Search, Compare
These plugins are very clunky to use. It actually makes a lot more sense to make those features available as part of the primary interface, rather than relegating them to a backwater. Search should provide a simple interface where the operator can type some text and click Go, rather than having to write code.
- Spider
This plugin should also identify FORMs in the HTML responses, and identify those that have been submitted by matching them with the parameters of GET requests, or the bodies of POST's, using an intelligent matching algorithm. (Empty parameters in the form may be matched to anything in a GET/POST)