[Owasp-leaders] OWASP Proxy

Rogan Dawes lists at dawes.za.net
Fri Dec 12 14:01:23 EST 2008

Hi folks,

I am happy to announce the development of a new project, which I am
tentatively calling "OWASP Proxy", subject to approval by the OWASP board.

Many security researchers want a reliable intercepting HTTP proxy that
they can use to build their own tools around. Some have resorted to
ripping bits out of existing OWASP tools, such as WebScarab, but this
has not really been a pleasant process, due to the baggage that the
existing tools drag along with them.

OWASP Proxy is a ground-up rewrite of a dead-simple proxy, that provides
application developers a (currently only lightly-) tested library that
they can easily extend to obtain their required functionality. It
provides a number of extension points whereby developers can be notified
of events such as a new Request, the retrieval of the Response headers,
as well as the Response body, and of course, any errors along the way.

It also supports streaming of large responses, so it is relatively
performant when the responses are not being intercepted. For example,
flash movies start playing immediately, rather than having to wait for
the entire movie to be retrieved by the proxy. Of course, if you want to
intercept a response, that streaming can be disabled.

One big reason to use OWASP Proxy is that it is binary clean to the best
of my ability. Things such as using two spaces instead of 1 between a
header and its value will persist through the proxy. The basic object is
the HTTP Message, represented by byte[] message. Of course there are
utility methods that work with the underlying byte[], and these may
normalise the parameters passed to them, but if you need the message to
be exactly what you set it to, that is entirely possible.

Enough of the intro, the code is available in a git repository on my
personal site. You can view the code and grab a snapshot at


or if you use git, you can clone the repo:

   $ git clone http://dawes.za.net/rogan/owasp-proxy/owasp-proxy.git/

The main class is org.owasp.proxy.daemon.Listener, and from there
everything should be fairly simple to understand. You can also look at
the testcases (very skimpy at the moment) to get some ideas on how
things are supposed to work.

Feedback is welcomed, either on the WebScarab list
(owasp-webscarab at lists.owasp.org), or directly to me.



More information about the OWASP-Leaders mailing list