[Owasp-webscarab] Beanshell scripts from command line

Rogan Dawes lists at dawes.za.net
Sat Dec 9 14:53:05 EST 2006 

Puig, Joan (ES - Barcelona) wrote:
> 
> 
> During a pentest assignment, I use webscarab to "spider" a web app, 
> analyze which functions it offers (usually, POSTs), which parts it has, 
> etc.
> 
> After gathering this information, I prepare a list of tests to run 
> (fuzzying parameters, trying XSS attacks, etc.) based on Owasp Top Ten. 
> In order to keep all the information together, I document everything in 
> a spreadsheet (Excel, usually).
> 
> Some of the tests (beanshell scripts) could be run automatically from 
> Excel (or any other spreadsheet software with macros), instead of 
> starting webscarab, manually loading the script, manually loading the 
> script and manually copying the results to the spreadsheet (whether they 
> were obtained via out.println(...) or written to another file).
> 
> The simplest way to integrate both would be to run command line scripts 
> from the spreadsheet, if webscarab (or some other piece of software 
> using webscarab libraries) could be used from the command line to run 
> scripts (and then terminate).
> 
>  
> 
> Thank you for the information!
> 
> Joan Puig
> 

You may actually find it easier to use only a few of the custom classes 
in WebScarab, primarily the FetcherQueue, via the BeanShell interpreter.

e.g. Write a BeanShell like:

import org.owasp.webscarab.model.*;
import org.owasp.webscarab.httpclient.*;

public void responseReceived(Response response) {
     // do whatever you want to with your response
}

public void requestError(Request request, IOException ioe) {
     // do whatever you like when you receive an error
}

int threads = 4;
int delay = 0; // delay between requests
FetcherQueue fetcher = new FetcherQueue("MyQueue", this, threads, delay);

boolean moreRequests = true;
while (moreRequests) {
     Request request = new Request();
     // now construct your requests
     queue.submit(request);
}
while (queue.isBusy())
     Thread.sleep(500);
queue.stop();

and you can just invoke it using the normal beanshell interpreter

This will give you all the power of the Scripted plugin, as well as the 
multi-threaded fetching. The only thing to keep in mind is if you need 
to use an upstream proxy to get out of your network.

Rogan

More information about the Owasp-webscarab mailing list