This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Autumn of Code 2006 - Projects: WebScarab NG

Revision as of 21:58, 30 July 2016 by Johanna Curiel (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This historical page is now part of the OWASP archive.
This page contains content that is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were once valid but may now link to sites or pages that no longer exist.
Please use the newer Edition(s) like Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013

AoC Candidate: Rogan

Project coordinator: Andrew van der Stock

Project Progress: xx% Complete - Progress Page

Background and Motivation

History Behind Project

WebScarab was originally designed by a group of people from the webappsec list, with the lofty ambition of being a complete open-source web application vulnerability scanner. Unfortunately, in code terms, it got no further than checking in some slightly-modified code from the WebSphinx spider project before interest waned, and the project stagnated. While participating in the WebScarab design process, Rogan Dawes was also working on a proxy-based tool called Exodus, both from a need for such a tool, and in a desire to learn how to program in Java. After the initial WebScarab effort stagnated, Rogan volunteered to rewrite Exodus, and donate it to OWASP to replace the then-existing spider code. This offer was accepted, and the current WebScarab was born.

Problem to be Addressed

However, WebScarab still had its own share of problems. In the main, those problems were as a result of its user interface, although there were also some fairly fundamental design flaws too

The original WebScarab is a very rough tool. It has a large amount of functionality, but in many cases, that functionality is only understood by its author, and a very few others. This is because WebScarab does not follow any published/recognised Human Interface Guidelines, and so that functionality is not obvious, or even "discoverable" in many cases.

WebScarab NG is intended to be a substantial rewrite of the original WebScarab code, focusing on providing a clean user interface that is intuitive for a newcomer to start using, but still powerful enough to serve the needs of the hardcore web application testers.

Benefit to OWASP Members and Community

The benefits to OWASP members, and the broader web application security community should be obvious. Improved tools can ultimately translate into more secure web applications.

Goals and Deliverables

Plan of Approach

I have already got some fundamental parts of WebScarab NG written. Specifically, WebScarab NG is already usable as an Intercepting Proxy. I intend to start work on the remaining items as described in the deliverables next.


The output of this project will be a WebScarab NG implementation, based on the Spring Rich Client platform, supporting at least the following features:

  • Intercepting Proxy, with the ability to control the proxy using a "stays on top" toolbar
  • Spider
  • Form extractor, that will present any forms identified in the HTML code for editing and submission by the operator
  • Manual request (replay and/or create from scratch)
  • Significantly improved session id analysis plugin (dynamic partitioning of session identifiers AFTER they have been collected)
  • Improved scripting interface and hooks into functions
  • Integrated search and compare functionality

Risks and Rewards

Main Risks

Rewards of Successful Project