[Owasp-leaders] [Owasp-webscarab] OWASP Proxy

Stephen de Vries stephen at twisteddelight.org
Sun Dec 14 04:20:35 EST 2008


On Dec 14, 2008, at 9:10 AM, Rogan Dawes wrote:
>
> WebScarab's proxy and HttpClient implementation were also not as
> "binary-clean" as some people would have liked. For example, while
> parsing message headers, WebScarab would normalise "Host:  host" (note
> two spaces between ":" and "host") back to "Host: host" (only one
> space). For some people, that was a big deal, and prevented them from
> using WebScarab entirely. Amongst other things, it meant that  
> WebScarab
> was unsuited to testing client-side vulnerabilities. OWASP Proxy  
> uses a
> byte[] to represent the entire message that is sent between client and
> server and vice versa, and then layers more friendly methods for
> accessing specific message properties on top of that.
>
> So, OWASP Proxy is intended to address these issues. It is a small  
> (45kB
> jar) library (not a stand-alone executable) that Java developers can  
> use
> when they need to add intercepting or logging proxy capabilities to
> their own programs.

Out of interest, will it be easy to strip out just the http client  
implementation from the OWASP Proxy library?  IMO, this could be very  
useful as the Apache HttpClient is really the only viable library  
available at the moment.  It would be nice to have an alternative  
that's more literal and doesn't try to fix requests.

Stephen


More information about the OWASP-Leaders mailing list