[Owasp-webscarab] Re: BeanShell Example

Rogan Dawes discard at dawes.za.net
Tue Aug 17 04:51:42 EDT 2004

Laurent Hausermann wrote:

> Many thanks Rogan for such a detailled email !
> I understand now well the design and the philosophy for WebScarab. In 
> fact, I played with modifying the header,
> and combined with "Intercept Request" I could do it "on the fly"... 
> really cool stuff.
> I have also looked at the source code, and I realized that the code for 
> "getParameters" and "setParameters" was commented out... and I wanted to
> make a script that rebuild parameter with some random number (in order 
> to test the cgi handling the request).
> Like this :
> import java.util.Random;
> random_gen = new Random();
> int random_num = random_gen.nextInt( 10 );
> request.setMethod("POST");
> request.addParameter("my_id", random_num);
> Have you got a way to manipulate the POST parameters like this  with a 
> Bean Shell script ?

Well, the get and setParameters code was commented out, because it was 
making assumptions about the request that were potentially invalid. e.g. 
if we have a multi-part POST, the parameters are constructed in a 
different way.

The correct way to do it would be to build up your POST body yourself as 
a String, or StringBuffer, and apply it using 

> Moreover, I would add some features request :
>   o It would be great to have basic script loading/unloading feature. 
> The minimum, should be to load script from file and to have an history 
> window where
>      you could rerun them. Some shortcut on script should be great also.

It is intended, certainly, but I have not got around to implementing 
that. If you are interested in contributing to WebScarab, maybe that is 
where you could start?

>   o Is there any way to have interaction with WebScarab user like a 
> Popup window to ask for script parameters ?

Yes, you can do anything that you can in Java, using beanscript. Just be 
careful to do things in the appropriate threads, because GUI stuff must 
run in the Swing event dispatching thread. Check how the ManualEdit 
plugin works for details/ideas.

>   o Is there any "output" console, currently if you do a 
> "System.out.println", your output is on the application console. An 
> output window could be great.

I'm not currently sure how to set the output stream. In fact, I'm not 
sure where to send it to. Maybe a window in the panel where you enter 
the script? What do you think?

> I appreciate the "open" way you are designing and developping WebScarab, 
> go on !

I intend to! ;-) Thanks for the encouragement!
> Regards,
> Laurent
Rogan Dawes

