This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP WebScarab Differences (Classic vs NG)"

From OWASP
Jump to: navigation, search
m
 
(5 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. This could/should be replaced by an Identity module, which can provide the most current identifiers for a particular identity (cookies, Basic auth, etc).
 
NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. This could/should be replaced by an Identity module, which can provide the most current identifiers for a particular identity (cookies, Basic auth, etc).
  
NG now also has the Transcoder functionality, implemented as a modal dialog. It is intended to also implement "right-click" menus to perform various transcoding operations "in-place" in arbitrary text fields.
+
NG now also has the Transcoder functionality, implemented as a non-modal dialog. It is intended to also implement "right-click" menus to perform various transcoding operations "in-place" in arbitrary text fields.
  
 
==Plugins==
 
==Plugins==
  
 
NG has significantly fewer plugins than Classic. The only plugins currently implemented in NG are the Proxy, Manual Request and WebServices plugins.  
 
NG has significantly fewer plugins than Classic. The only plugins currently implemented in NG are the Proxy, Manual Request and WebServices plugins.  
 
Some features of the Proxy plugin remain to be ported:
 
* Ability to specify regexes for URL's (not) to be intercepted
 
* Ability to specify a regex for conversations that should not be stored
 
* BeanShell scripts for programmatic modification of requests/responses
 
* Miscellaneous proxy plugins - Reveal hidden fields, prevent caching of responses
 
* Ability to modify Internet Explorer proxy settings automatically on startup and exit
 
 
Some features of the Manual Request plugin remain to be ported:
 
 
* Ability to convert a request from a GET to a POST or multipart POST, and vice versa.
 
  
 
This leaves the following plugins to be implemented:
 
This leaves the following plugins to be implemented:
Line 35: Line 24:
 
* Search
 
* Search
  
Porting of the WebServices plugin to NG is partially completed. Currently it is sufficient to access the WebGoat web service, but it doesn't support complex types. This functionality could easily be added if desired.
+
=== Proxy ===
 +
Features that remain to be ported:
 +
* BeanShell scripts for programmatic modification of requests/responses
 +
* Miscellaneous proxy plugins - Reveal hidden fields, prevent caching of responses
 +
* Ability to modify Internet Explorer proxy settings automatically on startup and exit
 +
 
 +
=== Manual Request ===
 +
Features that remain to be ported:
 +
* Ability to convert a request from a GET to a POST or multipart POST, and vice versa.
 +
 
 +
=== WebServices ===
 +
Partially completed. Currently it is sufficient to access the WebGoat web service.
 +
 
 +
Features that remain to be ported:
 +
* Support for complex types (This functionality could easily be added if desired)
 +
 
 +
==HTTP Protocol support==
 +
 
 +
WebScarab-classic has support for authentication to servers using SSL client certificates (including those stored on a smart card), as well as using NTLM. NG does not currently support SSL client certificates at all. NTLM should be supported through the Apache HTTPClient library, but this has not been tested.
  
 
==Porting suggestions==
 
==Porting suggestions==
Line 47: Line 54:
 
These plugins are very clunky to use. It actually makes a lot more sense to make those features available as part of the primary interface, rather than relegating them to a backwater. Search should provide a simple interface where the operator can type some text and click Go, rather than having to write code.
 
These plugins are very clunky to use. It actually makes a lot more sense to make those features available as part of the primary interface, rather than relegating them to a backwater. Search should provide a simple interface where the operator can type some text and click Go, rather than having to write code.
  
* Spider
+
==Execution==
This plugin should also identify FORMs in the HTML responses, and identify those that have been submitted by matching them with the parameters of GET requests, or the bodies of POST's, using an intelligent matching algorithm. (Empty parameters in the form may be matched to anything in a GET/POST)
 
  
==Execution==
+
WebScarab NG is distributed using the Maven onejar plugin, which packages all the required jars into a subdirectory of the "onejar", and provides a specialised classloader to allow Java to access the contents of those jars. To start WebScarab NG use following command in jar directory
  
WebScarab NG is currently only executable via Java WebStart, which is likely to pose a problem for certain folk. An alternate packaging has been created, using the Maven onejar plugin, which packages all the required jars into a subdirectory of the "onejar", and provides a specialised classloader to allow Java to access the contents of those jars.
+
java -jar WebScarab-ng-X.X.X.one-jar.jar
 +
where X.X.X is downloaded version or use one of scripts (start.sh for Linux, start.bat for Windows) provided in WebScarab NG zip file (which can be found [https://code.google.com/p/webscarab-ng/downloads/list here]).
  
 
[[Category:OWASP WebScarab Project]]
 
[[Category:OWASP WebScarab Project]]
 
[[Category:OWASP WebScarab NG Project]]
 
[[Category:OWASP WebScarab NG Project]]

Latest revision as of 22:49, 22 January 2011

This page is intended to document the differences between WebScarab Classic and WebScarab Next Generation

The objective is to list the major features that one has over the other, with the intent to track the porting of desirable features from Classic to NG.

Framework functionality

NG has no concept of the shared cookie jar, which is used in Classic to allow plugins such as the Spider and Manual Request plugins to use the most current cookies for a particular URL. This could/should be replaced by an Identity module, which can provide the most current identifiers for a particular identity (cookies, Basic auth, etc).

NG now also has the Transcoder functionality, implemented as a non-modal dialog. It is intended to also implement "right-click" menus to perform various transcoding operations "in-place" in arbitrary text fields.

Plugins

NG has significantly fewer plugins than Classic. The only plugins currently implemented in NG are the Proxy, Manual Request and WebServices plugins.

This leaves the following plugins to be implemented:

  • Spider
  • Extensions
  • XSSCRLF
  • SessionIDAnalysis
  • Scripting
  • Fragments
  • Compare
  • Search

Proxy

Features that remain to be ported:

  • BeanShell scripts for programmatic modification of requests/responses
  • Miscellaneous proxy plugins - Reveal hidden fields, prevent caching of responses
  • Ability to modify Internet Explorer proxy settings automatically on startup and exit

Manual Request

Features that remain to be ported:

  • Ability to convert a request from a GET to a POST or multipart POST, and vice versa.

WebServices

Partially completed. Currently it is sufficient to access the WebGoat web service.

Features that remain to be ported:

  • Support for complex types (This functionality could easily be added if desired)

HTTP Protocol support

WebScarab-classic has support for authentication to servers using SSL client certificates (including those stored on a smart card), as well as using NTLM. NG does not currently support SSL client certificates at all. NTLM should be supported through the Apache HTTPClient library, but this has not been tested.

Porting suggestions

For people interested in contributing to this project by porting one of the above plugins, here are some suggestions:

  • SessionID analysis

The current session id analysis plugin, while looking cool is actually very misleading. Anyone wanting to implement this feature for NG would be advised to take a look at Michal Zalewski's stompy to see how it can be done better.

  • Search, Compare

These plugins are very clunky to use. It actually makes a lot more sense to make those features available as part of the primary interface, rather than relegating them to a backwater. Search should provide a simple interface where the operator can type some text and click Go, rather than having to write code.

Execution

WebScarab NG is distributed using the Maven onejar plugin, which packages all the required jars into a subdirectory of the "onejar", and provides a specialised classloader to allow Java to access the contents of those jars. To start WebScarab NG use following command in jar directory

java -jar WebScarab-ng-X.X.X.one-jar.jar

where X.X.X is downloaded version or use one of scripts (start.sh for Linux, start.bat for Windows) provided in WebScarab NG zip file (which can be found here).