[Owasp-webscarab] BeanShell Example

Rogan Dawes lists at dawes.za.net
Sun Aug 15 15:35:11 EDT 2004 

Laurent Hausermann wrote:
>   Hi,
> 
> I am trying your "fabulous" application (it 's perfect to audit web 
> developpment), and I found you have embeded a scripting language.
> I found www.beanshell.org <http://www.beanshell.org> which the original 
> project page.
> 
> But I can't found any example of scripting webscarab with beanshell.
> For example, I would like starting from a captured POST request, to 
> regenerate the posted parameters.
> 
> Some samples would be very helpful to understand WebScarab internal API..
> 
> Regards,
> 
> Laurent

Hi Laurent,

There are two main places where you can use beanshell. Firstly, while 
viewing/editing a request or response. Secondly, as a script that is 
applied to all proxied requests and responses.

The first case is intended to allow for manipulation of requests and 
responses under the control of the operator, on an ad hoc basis. e.g. 
you are reviewing a request that contains a binary/serialised object. 
You may write a script that deserialises the object, and displays the 
object in question, or some of the parameters. It may change one of the 
parameters, and then reserialise the object and pack it back into the 
payload of the request.

The other case is provided for automated processing of requests or 
responses that you don't want to perform manually. e.g. time sensitive, 
or simply tedious (repetitive) things like changing a header value in 
*all* requests.

In the first case, there is a Request or Response object defined in the 
respective view/edit window for the conversation. i.e. the top (Request) 
beanshell tab will have a Request object called "request", and the lower 
(Response) beanshell tab will have a Response object called "response" 
that you can manipulate.

In the second case, you are providing a script that will be executed as 
part of the proxy pipeline. You have an opportunity to modify the 
request before the response is fetched, and an opportunity to modify the 
response before it is returned to the browser. The default script is:

response = fetchResponse(request);

Here you can see that there is an object "request", and an object 
"response". You should not need to worry about the function 
"fetchResponse", simply recognise that this connects to the server, and 
gets the response. The response is implicitly returned at the end of the 
script.

If you wanted to remove a particular header from the request prior to 
sending, you could change the script to:

request.deleteHeader("HeaderName");
response = fetchResponse(request);

Or if you wanted to add a marker to the response to note that you had 
removed a header from the request, you might do:

request.deleteHeader("HeaderName");
response = fetchResponse(request);
response.addheader("X-MyMarker", "I deleted HeaderName");

The best way to see what methods are available is to look at the 
well-documented source for the following methods:

org.owasp.webscarab.model.Message (superclass for Request and Response)
org.owasp.webscarab.model.Request
org.owasp.webscarab.model.Response

The source code is included in the WebScarab installer that you 
downloaded (it is an option that is not selected by default, I think), 
so you might want to uninstall and reinstall WebScarab to get the source 
code out of the archive. Alternatively, look at the online CVS page 
under the OWASP CVS on SourceForge, under the webscarab tree.

Hope this was helpful.

Rogan
-- 
Rogan Dawes

*ALL* messages to discard at dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

More information about the Owasp-webscarab mailing list