[Owasp-webscarab] Regarding new changes
rogan at dawes.za.net
Thu Nov 5 08:59:42 EST 2009
Martin Holst Swende wrote:
> Regarding the changes that are now updated into head;
> The whitelist filter has no UI. I did not add that, since it involved
> messing with auto-generated template-files and I am no swing-hacker. It
> would be good if "discard conversations" was called "white and blacklist
> filters" or something, and if user there could both make changes to,
> aswell as enable and disable whitelist and blacklist individually. As it
> is now, it is not really user-friendly -editing a properties-file:)
Truth be told, WebScarab was originally written using NetBeans, and
using the NetBeans UI generator.
I'm now using Eclipse, and I fear that the .form files no longer
correspond to the source code any more. I should really just delete
them, and remove the comments/warnings.
> Some other ideas that I have thought about that would be nice-to-have:
> * Fragments : Unusual server header directives.
> * Fragments : look for stacktraces
Not difficult to do, as you have seen. I do think that it is probably a
good idea to rethink the user interface, though, as we are getting more
and more types of fragment to look at.
> * Fragments: double-clicking on a row in the bottom pane does not show
> the conversation. Perhaps a bug I introduced?
I don't think it ever did. I can check on that.
> * It would be nice to enable listening on more than one port. By doing
> that, it would be possible to run scenarios with e.g two user on two
> browsers (FF and IE) going to separate ports, and then maybe
> auto-tagging the conversations so it is easier to separate the two
> streams of events when analysing the data.
WebScarab already supports multiple listeners, just don't specify a base
URL and you should be golden. However, there is no support for tagging
which was which based on the port that was used.
You could write a BeanShell/ScriptManager script to tag conversations
based on e.g. a User-Agent header value, of course.
> Rogan : do you think that
> would be problematic from a synchronization point of view? E.g do you
> think it will be problems with paralell incoming requests?
Nah, that is already possible.
> * I like the tagging, but it would be nice to tag multiple dialogs at
> the same time.
> * When the xss-checker does its checks, the failed dialogs never enter
> the main model. Rogan - is that by design ? I would like them to be
> there, not least for forensics reasons.
AFAIK, that was by design (which was not mine).
> If anyone wants to implement any of this, please yell so I don't waste
> time on it :)
> /Martin Holst Swende
Go for it!
More information about the Owasp-webscarab