[Owasp-webscarab] WebScarab 20070504-1631 Questions

Mitchell, Chris (GE Indust, ConsInd, consultant) chris.mitchell at ge.com
Fri Jul 27 11:05:03 EDT 2007 

1.  XSS/CRLF plug-in
I am unsure if I've missed something here, but when I use the XSS/CRLF
from the full-featured interface I click on the "Check" button after
selecting an entry and nothing happens to the bottom frame (where I
would anticipate the response to appear).

2.  I am rather interested in storing the results of my analysis from
WebScarab.  Through testing of WebScarab NG I found the HSQLDB rather
difficult to migrate.  Perhaps I am missing something regarding the
difference between each column's required data type when comparing the
tables I am migrating?  I have reviewed the "technical info" page where
it refers to the existing schema and am still unclear as to what the
final tables should look like.

I have tried com.mysql.jdbc.Driver with only partial success.  Although
I was able to use the HSQLDB Manager's Transfer Tool, I may have
experienced some difficulty with configuring a script to create the
tables.  If I use the MySQL schema prepared, the intercepted requests
are the only thing visible.  As a result the tables in the DB do not get
updated with the new records.  I would much rather use MS SQL, as this
is the platform for my other database tables that deal with pen testing
and the like.  However, I still have yet to complete the JDBC
connectivity phase (some problem with the Login).

I could script this process once I have figured it out, but it would be
much nicer if I could figure out how to use the non-"NG" version's
(invaluable) plugins during my assessment and still use only one version
of WebScarab instead of chaining them.  Could you offer any suggestions?

3.  I would also like some advice as to how I might avoid the error
below.  I am not certain I understand the ConnectionHandler all that
well, but it would appear that I had overwhelmed the application through
fuzz testing with Wikto while chained.

-----Response Error-----
HTTP/1.0 500 WebScarab error
Content-Type: text/html
Connection: Close

<HTML><HEAD><TITLE>WebScarab Error</TITLE></HEAD><BODY>WebScarab
encountered an error trying to retrieve <P><pre>GET http://<url>
HTTP/1.0
Accept: */*
Accept-Language: en-us
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: <host>

</pre><P>The error was : <P><pre>Connection refused: connect
	at java.net.PlainSocketImpl.socketConnect(Native Method)
	at java.net.PlainSocketImpl.doConnect(Unknown Source)
	at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
	at java.net.PlainSocketImpl.connect(Unknown Source)
	at java.net.SocksSocketImpl.connect(Unknown Source)
	at java.net.Socket.connect(Unknown Source)
	at
org.owasp.webscarab.httpclient.URLFetcher.connect(URLFetcher.java:368)
	at
org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:
229)
	at
org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(Cook
ieTracker.java:130)
	at
org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(Brows
erCache.java:101)
	at
org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(Revea
lHidden.java:100)
	at
org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShel
l.java:229)
	at
org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualE
dit.java:243)
	at
org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler
.java:233)
	at java.lang.Thread.run(Unknown Source)
</pre><P></HTML>

Thanks in advance,

Chris

More information about the Owasp-webscarab mailing list