[Owasp-webscarab] WebScarab question

Thu Sep 7 04:36:20 EDT 2006

Dylan McReynolds <dmcreynolds at astoriasoftware.com> wrote:

> Hello,
> 
> I'm playing with WebScarab for the first time.
> 
> I would like to have WebScarab act as an authenticating proxy server my 
> own application testing.  Is this possible?  Basic authentication is 
> fine, but I'd like to mimic proxy servers that challenge clients with a
> 
> Proxy-Authenticate 
> Is this possible?
> 
> Thanks.

Hi Dylan,

Yes, I see no reason why this should not be possible. The easiest way 
would be to write a BeanShell script in the Proxy->BeanShell plugin.

Something like:

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import java.io.IOException;

public Response fetchResponse(HTTPClient nextPlugin, Request request) 
throws IOException {
    String proxyAuth = request.getHeader("Proxy-Authorization");
    if (proxyAuth == null) {
       Response response = new Response();
       response.setVersion("HTTP/1.0");
       response.setStatus("407");
       response.setMessage("Authentication required");
       response.setHeader("Proxy-Authenticate", "Basic 
realm=\"WebScarab\"");
       response.setHeader("Content-Length", "0");
       return response;
    }
    response = nextPlugin.fetchResponse(request);
    return response;
}

This is straight from memory, and completely untested, so you may need 
to spell some headers differently, or provide some content, etc. But the 
concept should be valid. If you actually want to check the contents of 
the Proxy-Authorization header, that is up to you. But this should at 
least challenge you for *something*.

Hope this helps.

Rogan