[Owasp-leaders] [Owasp-webscarab] OWASP Proxy
namn at bluemoon.com.vn
Sun Dec 14 05:32:40 EST 2008
On Sun, 14 Dec 2008 10:20:35 +0100
Stephen de Vries <stephen at twisteddelight.org> wrote:
> On Dec 14, 2008, at 9:10 AM, Rogan Dawes wrote:
> > WebScarab's proxy and HttpClient implementation were also not as
> > "binary-clean" as some people would have liked. For example, while
> > parsing message headers, WebScarab would normalise "Host: host" (note
> > two spaces between ":" and "host") back to "Host: host" (only one
> > space). For some people, that was a big deal, and prevented them from
> > using WebScarab entirely. Amongst other things, it meant that
> > WebScarab
> > was unsuited to testing client-side vulnerabilities. OWASP Proxy
> > uses a
> > byte to represent the entire message that is sent between client and
> > server and vice versa, and then layers more friendly methods for
> > accessing specific message properties on top of that.
> > So, OWASP Proxy is intended to address these issues. It is a small
> > (45kB
> > jar) library (not a stand-alone executable) that Java developers can
> > use
> > when they need to add intercepting or logging proxy capabilities to
> > their own programs.
Do I hear re-usability? Lovely!
> Out of interest, will it be easy to strip out just the http client
> implementation from the OWASP Proxy library? IMO, this could be very
> useful as the Apache HttpClient is really the only viable library
> available at the moment. It would be nice to have an alternative
> that's more literal and doesn't try to fix requests.
My bet is it is not the objective of OWASP Proxy, unless Rogan has another plan.
By the way, talking about WebScarab-NG, I would very much like to see support for SOCKS 4/5 proxy. Probably that can be factored into this OWASP Proxy library?
More information about the OWASP-Leaders