[Owasp-leaders] [Owasp-webscarab] OWASP Proxy

Nam Nguyen namn at bluemoon.com.vn
Sun Dec 14 05:32:40 EST 2008

On Sun, 14 Dec 2008 10:20:35 +0100
Stephen de Vries <stephen at twisteddelight.org> wrote:

> On Dec 14, 2008, at 9:10 AM, Rogan Dawes wrote:
> >
> > WebScarab's proxy and HttpClient implementation were also not as
> > "binary-clean" as some people would have liked. For example, while
> > parsing message headers, WebScarab would normalise "Host:  host" (note
> > two spaces between ":" and "host") back to "Host: host" (only one
> > space). For some people, that was a big deal, and prevented them from
> > using WebScarab entirely. Amongst other things, it meant that  
> > WebScarab
> > was unsuited to testing client-side vulnerabilities. OWASP Proxy  
> > uses a
> > byte[] to represent the entire message that is sent between client and
> > server and vice versa, and then layers more friendly methods for
> > accessing specific message properties on top of that.
> >
> > So, OWASP Proxy is intended to address these issues. It is a small  
> > (45kB
> > jar) library (not a stand-alone executable) that Java developers can  
> > use
> > when they need to add intercepting or logging proxy capabilities to
> > their own programs.

Do I hear re-usability? Lovely!

> Out of interest, will it be easy to strip out just the http client  
> implementation from the OWASP Proxy library?  IMO, this could be very  
> useful as the Apache HttpClient is really the only viable library  
> available at the moment.  It would be nice to have an alternative  
> that's more literal and doesn't try to fix requests.

My bet is it is not the objective of OWASP Proxy, unless Rogan has another plan.

By the way, talking about WebScarab-NG, I would very much like to see support for SOCKS 4/5 proxy. Probably that can be factored into this OWASP Proxy library?


More information about the OWASP-Leaders mailing list