owasp / owasp-webscarab Goto Github PK
View Code? Open in Web Editor NEWOWASP WebScarab
Home Page: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
License: GNU General Public License v2.0
OWASP WebScarab
Home Page: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
License: GNU General Public License v2.0
This is the WebScarab OpenSource project, hosted at http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project It aims to become a tool that may be used automatically or interactively to test web applications for their security. WebScarab is written in 100% pure java and designed using a fairly clean set of interfaces to allow for removal and substitution of existing components, or addition of new analysis systems. For more details, please see the URL above.
I encountered a weird locking-related issue that leads to high CPU load under certain conditions. Both http and https are affected.
Obviously, this is bad. One browser request should not freeze WS. I tried reproducing this case with a page containing 200 links and a page containing 5 iframes to the previous page with 200 links. That did not expose the issue. For now you have to use youtube (more specific, the flash player) to reproduce it.
The branch I use for debugging this issue: https://github.com/Lekensteyn/OWASP-WebScarab/tree/lock-debug. I added some colored debug prints and observed:
A quick look at the involved locks make me think that locks are used for:
My questions:
While working on this issue, consider moving to java.utils.concurrent as recommended by the author of the concurrency classes.
URL to plugin repository for onejar-maven-plugin changed to: http://onejar-maven-plugin.googlecode.com/svn/mavenrepo
The project can be found at https://code.google.com/p/onejar-maven-plugin/ now.
I tried to configure Webscarab in Mozilla Firefox Settings (latest Version 121) .However , it did not work . As I could not connect to the internet after configuring Mozilla version 121 . Does Webscarab even work with Mozilla latest version 121 ? There is no answer to this question in Google. That is why I asked the question .
I have encountered a strange error with a public server (which is quite misconfigured). The most important misconfiguration that affects Webscarab is that it provides a root certificate that uses MD2withRSA. This algorithm is rejected by Java because of its weakness, but that also breaks the connection setup.
When using the default trusted root certificates (Firefox, Java with default trust store), the handshake completes. I have tracked down the issue to org/owasp/webscarab/httpclient/SSLContextManager.java
. Changing it to use the default trust store allows Java to validate the certificate against an existing root cert, so the last cert can be skipped. This of course means that self-signed certs and other untrusted certs gets rejected by WS:
--- a/src/org/owasp/webscarab/httpclient/SSLContextManager.java
+++ b/src/org/owasp/webscarab/httpclient/SSLContextManager.java
@@ -50,7 +50,7 @@ public class SSLContextManager extends AbstractCertificateRepository {
System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
try {
_noClientCertContext = SSLContext.getInstance("SSL");
- _noClientCertContext.init(null, _trustAllCerts, new SecureRandom());
+ _noClientCertContext.init(null, null, new SecureRandom());
} catch (NoSuchAlgorithmException nsao) {
_logger.severe("Could not get an instance of the SSL algorithm: " + nsao.getMessage());
} catch (KeyManagementException kme) {
The error is:
13:01:57 Listener-0.0.0.0:8008-1(Proxy.generateSocketFactory): Generating custom SSL keystore for mobilog.ebay.com
13:02:05 Listener-0.0.0.0:8008-1(SSLContextManager.getSSLContext): Requested SSLContext for null
13:02:05 Listener-0.0.0.0:8008-1(ConnectionHandler.run): IOException retrieving the response for https://mobilog.ebay.com:443/ : javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:233)
at org.owasp.webscarab.model.Request.writeDirect(Request.java:214)
at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:242)
at org.owasp.webscarab.plugin.openid.OpenIdHTTPClient.fetchResponse(OpenIdHTTPClient.java:60)
at org.owasp.webscarab.plugin.saml.SamlHTTPClient.fetchResponse(SamlHTTPClient.java:98)
at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:223)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:946)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:872)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:814)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 21 more
Recently I came to know about WebScarab and tried to installing it on my system running Win 8 . It ended up with an Application Error Dialogue Box which said Unable To Start Application.
When I checked For Details , it said
ExitException[ 3]com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://dawes.za.net/rogan/webscarab/$$codebase/$$name
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Please Help me Out...
Thanks In Advance :)
We were wondering if there were any plans to make WebScarab available as a Maven dependency any time soon. Thanks,
I get this error message when starting WebScarab on Windows 7:
Error instantiating the PKCS11 provider
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.owasp.webscarab.httpclient.AbstractCertificateRepository.initPKCS11(AbstractCertificateRepository.java:163)
at org.owasp.webscarab.httpclient.SSLContextManager.<init>(SSLContextManager.java:55)
at org.owasp.webscarab.httpclient.HTTPClientFactory.<init>(HTTPClientFactory.java:77)
at org.owasp.webscarab.httpclient.HTTPClientFactory.<clinit>(HTTPClientFactory.java:55)
at org.owasp.webscarab.plugin.Framework.configureHTTPClient(Framework.java:379)
at org.owasp.webscarab.plugin.Framework.<init>(Framework.java:100)
at org.owasp.webscarab.WebScarab.main(WebScarab.java:118)
Caused by: java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:128)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
... 11 more
Caused by: sun.security.pkcs11.ConfigurationException: Absolute path required for library value: lib/p11-capi.dll
at sun.security.pkcs11.Config.parseLibrary(Config.java:681)
at sun.security.pkcs11.Config.parse(Config.java:398)
at sun.security.pkcs11.Config.<init>(Config.java:220)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
... 13 more
I was able to fix the issue in SSLContextManager.java with this change:
initPKCS11("P11-CAPI", new File(".").getAbsolutePath() + "/lib/p11-capi.dll", 0, "");
Transformation code tools:
This looks like pretty outdated repo, but if you are there listening, someone needs to open Gate 3.... sorry, someone needs to add a build process so that i can rebuild webscarab and add my own server.p12 file using these instruction: https://www.owasp.org/index.php/WebScarab_SSL_Certificates
Dear All,
Trust you're fine. Please help with this issue I've been struggling with:
When trying to connect to an HTTPS whose certificate was issued by Verisign using Webscarab as proxy the browser crashes, which I rightly assumed it's due to certificate problem. So, I instructed Webscarab proxy listener to use that particular link as base url on port 443. This solved the problem partially, as the browser no longer crashes but, does not display the https page,just blank.
I googled on the subject but it wasn't that clear. So, if you've something to share please....
Thanks and Regards,
Victor
When using WebScarab proxy settings i get this error in my browser : Your connection is not secure
I guess its about the certification.
Which steps should I follow to proceed?
Now the groupId to use is: "com.jolira"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.