[Owasp-webscarab] WebScarab 20070504-1631 Questions
Rogan Dawes
lists at dawes.za.net
Mon Jul 30 05:43:01 EDT 2007
Mitchell, Chris (GE Indust, ConsInd, consultant) wrote:
> 1. XSS/CRLF plug-in
> I am unsure if I've missed something here, but when I use the XSS/CRLF
> from the full-featured interface I click on the "Check" button after
> selecting an entry and nothing happens to the bottom frame (where I
> would anticipate the response to appear).
Not sure about this one. I didn't write this plugin, and don't use it
much. Maybe Meder can respond to this one?
> 2. I am rather interested in storing the results of my analysis from
> WebScarab. Through testing of WebScarab NG I found the HSQLDB rather
> difficult to migrate. Perhaps I am missing something regarding the
> difference between each column's required data type when comparing the
> tables I am migrating? I have reviewed the "technical info" page where
> it refers to the existing schema and am still unclear as to what the
> final tables should look like.
Unfortunately, I have not made any concerted efforts to make WS-NG
portable across databases. Probably the most problematic item is
generating unique ID's for the conversation. In HSQLDB, this is an
attribute of the table/column. For other DB's, you may need a sequence, etc.
For this reason, I am considering migrating to a Hibernate backend,
which has already done all the hard work of abstracting the DB access.
> I have tried com.mysql.jdbc.Driver with only partial success. Although
> I was able to use the HSQLDB Manager's Transfer Tool, I may have
> experienced some difficulty with configuring a script to create the
> tables. If I use the MySQL schema prepared, the intercepted requests
> are the only thing visible. As a result the tables in the DB do not get
> updated with the new records. I would much rather use MS SQL, as this
> is the platform for my other database tables that deal with pen testing
> and the like. However, I still have yet to complete the JDBC
> connectivity phase (some problem with the Login).
>
> I could script this process once I have figured it out, but it would be
> much nicer if I could figure out how to use the non-"NG" version's
> (invaluable) plugins during my assessment and still use only one version
> of WebScarab instead of chaining them. Could you offer any suggestions?
Well, you might want to help porting the old plugins to the NG framework?
> 3. I would also like some advice as to how I might avoid the error
> below. I am not certain I understand the ConnectionHandler all that
> well, but it would appear that I had overwhelmed the application through
> fuzz testing with Wikto while chained.
>
This error looks like your application/web server gave in. WebScarab
could not establish a connection to the server. Maybe you can throttle
Wikto down a little?
>
> Thanks in advance,
>
> Chris
Hope this helped a little.
Rogan
More information about the Owasp-webscarab
mailing list