[OWASP-WEBSCARAB] Search plugin
Rogan Dawes
lists at dawes.za.net
Thu Apr 13 13:16:50 EDT 2006
Hi folks,
I figured it would be a good idea to explain how the Search plugin
works. Admittedly it is slightly buggy at the moment, and sometimes
throws ArrayIndexOutOfBoundsExceptions. Those can be solved by resorting
the table, I think. I'll try to fix this before the next release.
Anyway! ;-)
The idea is that you can create a number of stock searches that you
perform on a regular basis, as well as ad hoc searches that may only
apply to a particular project/assignment. Once your searches have been
created, they appear in the dropdown list at the top of the conversation
table in the search plugin.
You specify searches using beanshell expressions, and can perform any
operations on the predefined request and response objects. These objects
correspond to the request and response for each conversation that has
been seen so far.
It is probably easiest to look at some examples.
Say you only want to see POST requests:
Name: POST (arbitrary, name it whatever you like)
Expression: request.getMethod().equals("POST")
Or you want to see responses that set a cookie, but only those that were
set over an SSL connection:
request.getURL().toString().startsWith("https://") &&
response.getHeader("Set-Cookie") != null
How about responses that contain a specific string (or match a pattern):
new String(response.getContent()).indexOf("specific string") > -1
new String(response.getContent()).matches("(?s).*pattern.*")
That is worth explaining a bit, I guess.
response.getContent() returns an array of bytes, so we convert that to a
String so we can use the handy indexOf() and matches() methods. Of
course, matches() defaults to checking things on a line by line basis
(i.e. "." does not match a CR or LF), so we have to specify that the
regex SHOULD allow "." to match a CR or LF by using the (?s) extension
in the regular expression. You can also specify that the regex should be
case-insensitive using the (?i) extension. Or in combination that would
be (?is).
Let me know if you have any questions.
Regards,
Rogan
More information about the Owasp-webscarab
mailing list