[Owasp-webscarab] Performance Issue

Rogan Dawes lists at dawes.za.net
Thu Dec 7 02:07:46 EST 2006 

Harshit Madania wrote:
>   Hi
> I was trying to use Web Scarab as a proxy and  was using Bean Shell to 
> put in some policies for modifying the HTML before its thrown to the 
> user , but i am facing a serious issue with the performance of Web Scarab.
> Whenever the connection is slow and i dont receive response within a 
> short span.Then  WebScarab automatically starts a large number of 
> processes such as Fuzzer, Session ID Analysis , Spider and a few more.
> due to which i run out of memory. and the proxy crashes and i have to 
> restart webScarab.
> Is there any way by which i can prevent WebScarab from starting these 
> processes
> 
> Regards
> Harshit Madania

The other threads are started automatically when WebScarab starts, and 
are not as a result of your BeanShell manipulations. I doubt that it is 
because of these processes that WebScarab is running out of memory.

That said, WebScarab DOES have "out of memory" issues. These are related 
to the fact that it records all the conversations that pass through 
WebScarab for later review, and does not have a good mechanism for 
freeing up resources when the list of recorded conversations gets too 
long. If you watch the green bar at the bottom of the WebScarab 
interface, you can see the memory utilisation increasing over time.

There are a couple of things you can do:

1. If you don't actually want to review the conversations at a later 
stage, use a ScriptManager->Framework->Add Conversation script:

conversation.setCancelled(true);

which should prevent WebScarab from recording the conversation for later 
review.

2. Possibly, your BeanShell script is leaking. Check carefully to make 
sure that any resources that you allocate are available for garbage 
collection. Keep in mind that we are only using a single instance of the 
BeanShell interpreter, so resources allocated for one request may still 
be referenced when we get around to the next. It is probably a good idea 
to explicitly set references to null before your script exits, as far as 
possible, anyway.

3. Rebuild your own version of WebScarab that only starts the proxy 
plugin, and the BeanShell sub-plugin.

Hope this helps.

Rogan

More information about the Owasp-webscarab mailing list