[Owasp-webscarab] Re: New release of WebScarab

rogan at dawes.za.net rogan at dawes.za.net
Tue Jan 4 03:30:09 EST 2005 

Quoting Juan Carlos <johnccr at yahoo.com>:

> Hi Rowan
> 
> you obfuscation was very "obfuscative" for me :), so
> found you email in your family page.

Sorry about that.
> 
> I know that in Open Source projects is very difficult
> to get feedback so I want to contribute a little in
> this regard, I perform some little testing on the new
> release and found the following:
> 
Great, thanks for letting me know what you think.

> ==Summary==
> -"Tree Selection filters conversation list" does not
> work, shows only current level files

The intention of the "filter" is that if you have selected a particular URL, it
should only show conversations related to that URL. Are you suggesting that it
should show conversations for all children of that URL?

> -If you select an item in this view, go to spider
> fetch something and get back  the whole list of
> conversations will be shown.

Ah, I think I know what is happening. Unfortunately, the TreeTable
implementation that I am using loses the selection whenever anything happens in
the tree. So when a new URL appears, or even a value in a column changes (I
think), the selection is reset to nothing, and the filter is removed.

I'll have to investigate the TreeTable code to fix this. Unfortunately, I'm not
so hot on the detailed Swing programming, so it might take a while.

> -Right click and select "Spider Tree" option, seems
> that doesn't work.
> 
I'll have to check this out. This should be effectively the same as selecting
that URL in the spider panel, and saying "Fetch Tree". Of course, if there are
no "unseen" links under the selection, nothing will happen.

> ==Fragments==
> -very nice, I like this new section, here I see there
> is no way to know where did the fragment came from,
> though.

True. I'll have to take a look at how we can do that . . . 
> 
> ==Proxy==
> --Listeners--
> -What is the small table containing Time, ID, Method,
> URL and Status columns  for?

It is intended to show pending requests/responses/error messages. But I've not
actually got around to populating it yet. I thought it might be useful, but
I've not actually needed it so much . . . .
> 
> --Manual Edit--
> -I like a lot the different filters in Manual edit
> -For Bean Shell, I've never found the "documentation"

The documentation is basically the JavaDoc for the Request, Response and
Message
classes. Request and Response both inherit from Message, so there is common
functionality.

The most useful methods will be:

request.setMethod("GET"); or POST, etc
request.setURL(new HttpUrl("http://..."));
request.setVersion("HTTP/1.0"); // no default for this, should fix

response.getStatus()
response.getStatusLine()
response.getVersion()

message.getHeader("User-Agent"); // or whatever
message.setHeader("Referer","my referer");
message.deleteHeader("User-Agent");
message.getContent();
message.setContent(byte[] content);


> -Miscellaneous options It's just nice functionality,
> but static. 

The cookie synchronisation is a bit more dynamic, and might not be too easy in
a
script . . . 

> Bean Shell  seems great for dynamic
> processing of pages, but you have only one at a time. 
> So why not merging this two options into kind-of
> rules, written in Shell bean  and reusable by
> selecting them from a list. They could be shared and
> reused. 

Yes, I was thinking of that, too. But it would probably make more sense to have
"event-handlers" rather than the current "wrapper" approach that I have taken.

The reason for the "wrapper" approach (ie. each proxy plugin wraps the
preceding
ones) is that if you want to remember something between modifying the request,
and make a modification to a response ONLY if you did something to the request,
it makes it a lot easier to wrap, rather than to use an event handler.

Does anyone else have an opinion on this? If there are strong feelings either
way, it will help me to make a decision . . . 

>  I know there is a plug-in platform, however,
> this will add a lot of  functionality to WebScarab and
> will not fill it up with several different  tabs. what
> do you think?
> 
> ==Spider==
> -Fetch Tree does not work, only fetch selection
> -IMH "Javascript:" links should not be listed

Hmmm. Javascript links are not supposed to be listed. Guess I'm not doing a
case-insensitive match . . . will have to check this.

I DO think that it is important to do SOMETHING with script links though. Many
sites use them to do their navigation, and because the spider cannot follow
them automatically, the user needs to do it manually, I guess.

I have put in some code for special case script handling, e.g.
window.location="static string" could be translated into a link without too much
difficulty, but I still need to flesh it out.

At the moment, I'm thinking of how to parse it, and whether it would be better
to use Rhino (a Java Javascript engine), rather than trying to do the basic
parsing myself.

Thoughts? Comments? Any takers? ;-)

> 
> ==General Comments==
> -Thanks for HTML view and Multipart editor.
> -Still could not specify an Initial Directory for
> windows this is very annoying.

Will have to check this out. Sorry.

> -Perhaps a "Save" session should be appropriate, you
> could initially save the info in a temporary folder
> then "dump" it to another when the "Save" option is
> selected and a specific folder is given. Specially
> because now you are not warned when trying to open a
> conversation detail, I forgot to create a new session
> and lost all my data.

Right. Sorry about that. Maybe I should do a warning popup if we are using a
temporary directory? This functionality was specifically requested by another
user, but I don't want people to lose their work, either.

> 
> Hope this helps 
> 
> If you need any further clarification about an issue
> please let me know.
> 
> Regards and happy new year
> 
> -Juan Carlos

Thanks for your feedback. It is MUCH appreciated.

Rogan

More information about the Owasp-webscarab mailing list