[Owasp-webscarab] Running script on webscarab

Rogan Dawes lists at dawes.za.net
Mon Mar 3 15:56:48 EST 2008 

pagarwalla at simdeskcorp.com wrote:
> :) Thanks Rogan. will sure keep in mind. Sorry about that.
> While executing the script I get the below errors on my web page :
> 

Yeah, I forgot the import for NamedValue:

add

import org.owasp.webscarab.model.NamedValue;

up at the top with the other imports.

> Here's my req in detail :
> -----------------------
> 
> I want to run a script from Proxy -> Bean Shell which modify a 
> particular parameter on the Request which goes to web server when I 
> click on SEARCH button on my web page. Thats is why I wanted to change 
> the value of 'check' parameter and send the request to server.
> I would be checking for XSS vulnarebilities.
> 
> Also let me know if nay tutorial can help me to start writting the 
> scripts myself. I have gone through the tutorial for basic Java.

Well, it ultimately depends on what you want the scripts to do :-)

The basics can be had by looking at the appendix in the online help 
(i.e. the methods for Message, Request and Response). After that, it is 
pretty much up to you what you want your script to do.

Rogan
> 
> Thanks ,
> Priti
> 
> 
> 
> 
> Rogan Dawes wrote:
> 
>> pagarwalla at simdeskcorp.com wrote:
>>
>>>   Thanks for the response. 
>>
>>
>> No problem. Please do keep the list copied in future, though. If you 
>> ask me for help directly, I may have to charge you my consulting 
>> rates. :-)
>>
>>> Basically I need to check for XSS vulnerabilities on my web page and 
>>> I need to automate the testing using the scripting feature on Webscarab.
>>> I want to modify the Request to server which goes through Webscarab 
>>> (probably adding something like "<IMG 
>>> """><SCRIPT>alert("XSS")</SCRIPT>"> " to the " Check " parameter and 
>>> send to server. Also I need to check for the vulnerability in the 
>>> response.
>>>
>>> I think I should use use Proxy -> Bean shell for this. Let me know if 
>>> I am correct.
>>> My intension is not to write a complete program but to automate my 
>>> testing so that I won't need modify the outgoing request every time.
>>>
>>> Also, Please help me with a sample script for the same.
>>>
>>> Thanks for your help.
>>> Priti
>>>
>>
>> You don't provide a lot of details for me to write a sample script, 
>> but here goes anyway.
>>
>> It is written as a Proxy->Beanshell script, since that seems to be 
>> what you need. Please note that it is being written in my mail client, 
>> and may not be completely correct.
>>
>> import org.owasp.webscarab.model.Request;
>> import org.owasp.webscarab.model.Response;
>> import org.owasp.webscarab.httpclient.HTTPClient;
>> import java.io.IOException;
>>
>> public Response fetchResponse(HTTPClient nextPlugin, Request request) 
>> throws IOException {
>>    String query = request.getURL().getQuery();
>>    if (query == null)
>>       return nextPlugin.fetchResponse(request);
>>    NamedValue[] params = NamedValue.split(query, "&", "=");
>>    for (int i=0; i<params.length; i++) {
>>       if (params[i].getName().equals("Check"))
>>          params[i] = new NamedValue(params[i].getName(), 
>> params[i].getValue() + "\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"> ");
>>    }
>>    query = params[0].getName() + "=" + params[0].getValue();
>>    for (int i=1; i<params.length; i++)
>>       query = query + "&" + params[i].getName() + "=" + 
>> params[i].getValue();
>>    int q = request.getURL().toString().indexOf("?");
>>    String url = request.getURL().toString().substring(0,q+1) + query;
>>    request.setURL(new HttpUrl(url));
>>    return nextPlugin.fetchResponse(request);
>> }
>>
>> Hope this helps.
>>
>> Rogan
>>
>>
>>> Rogan Dawes wrote:
>>>
>>>> pagarwalla at simdeskcorp.com <mailto:pagarwalla at simdeskcorp.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Can anyone let me know how to use the Proxy -> Bean Shell ?
>>>>> I want to check for XSS on a particular web site. After putting my 
>>>>> code in the Proxy -> Bean Shell, I click on commit.
>>>>>
>>>>> Do i need to open the web page manually and then run the script. I 
>>>>> dint get info on OWASP site for 'How To Use Bean Shell / Scripted ..".
>>>>> Please help me.
>>>>>
>>>>> Thanks.
>>>>
>>>>
>>>> The Proxy -> BeanShell plugin only executes when a request/response 
>>>> goes through the proxy. The intention of this plugin is to allow for 
>>>> scripted *modifications* to requests/responses, for cases where it 
>>>> is impossible (or simply too tedious) to make the modifications by 
>>>> hand.
>>>>
>>>> If you want to write a complete program, I suggest looking at the 
>>>> "Scripted" plugin. This is actually where you should load the google 
>>>> script that you were asking about in a different email.
>>>>
>>>> Regards,
>>>>
>>>> Rogan
>>>>
>>>
>>> -- 
>>> Priti Agarwalla
>>> Test Engineer
>>> 713.690.6016 ext.256 (o)
>>> pagarwalla at simdeskcorp.com <mailto:pagarwalla at simdeskcorp.com>
>>> www.simdesk.com <http://www.simdesk.com>
>>>
>>>  
>>>
>>
>

More information about the Owasp-webscarab mailing list