'Re: [OWASP-WEBSCARAB] Antwort: Re: Adding functionality to'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-webscarab
Subject:    Re: [OWASP-WEBSCARAB] Antwort: Re: Adding functionality to
From:       Rogan Dawes <lists () dawes ! za ! net>
Date:       2006-08-01 15:07:29
Message-ID: 44CF6E31.9040809 () dawes ! za ! net
[Download RAW message or body]

Philippe Schaeffer wrote:
> 
> Rogan,
> thanks a lot for your quick answer.
> 
> 
> On 28.07.2006 16:43:12 Rogan Dawes wrote:
> > Philippe Schaeffer wrote:
> > > 
> > > Hi everybody,
> > > 
> > > I would like to add some functions to the Edit Request window.
> > > eg:
> > > - Right click on the value of a POST parameter to get a menu that lets
> > > me base64 decode and base64 encode the value.
> > 
> > Probably the best place to implement this would be in the
> > src/org/owasp/webscarab/ui/swing/editors/UrlEncodedPanel.java. This is
> > the class the parses out POST body parameters, and presents them in a 
> table.
> > 
> > I guess that adding a right-click menu would not be too difficult.
> > 
> 
> Before I got your answer a collegue of mine already write some lines 
> that patch HeaderPanel.java.
> The patch adds two buttons to the request intercept window. These 
> buttons can be used to encode and decode any marked field in base64.
> It's not very ellegant but serves our purpose.
> You find it attached.
> 
> Also we decided to invest some more time in the future to add some 
> functions and plugins to webscarab that we consider useful.
> Right now we are using eclipse and the latest sources available on 
> sourceforge. Do you have any sugestions on the most useful way to 
> contribute to webscarab, e.g.:
> - what frameworks, build systems etc to use
> - what sources to use (tar balls on sourceforge or some cvs or 
> subversion server)
> - contribute to webscarab-ng or to "plain old" webscarab
> - send patches to you, the list or some cvs/subversion server

Development of "plain old" WebScarab was done using NetBeans, primarily 
for the GUI builder. If you are planning on making changes to any of the 
UI forms, it is probably a good idea to use NetBeans as well, so that 
your changes do not get overwritten. Of course, if you are not making 
changes to any of the protected methods (normally marked with special 
comments at the start and end of the method, you should be OK to make 
changes using any editor you like.

WebScarab has a fairly complete Ant build system, and works on both 
Windows and Linux/Unix. The only thing that is not integrated in the 
build system is construction of the JavaHelp pages, which requires Norma 
Walsh's stylesheets, and uses xsltproc.

Source code is maintained in a GIT repository, and a public copy is 
located at http://dawes.za.net/rogan/webscarab/webscarab.git

You can browse it using gitweb, at http://dawes.za.net/gitweb.cgi

Source snapshots are created automatically every time there is any 
change to the repository (on the "master" branch, that is), and can be 
retrieved from:

http://dawes.za.net/rogan/webscarab/webscarab-src-current.tar.gz

This is a fairly large file, since it includes all the libraries 
required to build WebScarab.

WebScarab-NG is also available from my website. GitWeb also provides an 
option to view the WebScarab-NG tree, using the URL provided above.

The repository is located at:

http://dawes.za.net/rogan/webscarab/webscarab-ng.git

This repository does NOT include the required libraries. I hope to 
implement a proper Maven build process for building, and automatically 
setting up projects, etc. I have not yet done so, unfortunately. The 
required libraries can be downloaded in one large file from:

http://dawes.za.net/rogan/webscarab/webscarab-ng-libs.tar.gz

I am using Eclipse to develop WebScarab-NG, and my build process is 
currently just to jar up the "bin" directory ;-)

As far as contributions go, you would probably get the most mileage from 
contributing to "plain old" WebScarab, as it has significantly more 
functionality than WS-NG has, or will have in the near future. I will 
continue to make bug fix releases of old WebScarab, and even add new 
functionality where suitable.

That said, my major development focus will be on WebScarab-NG. Anyone 
who would like to influence the direction of WebScarab NG is welcome to 
dig in, and have a go.


> > > - possibly the same menu with some user defined function (other than
> > > base64)
> > 
> > Not sure how you would want to allow the user to define these
> > operations? I'm not dismissing your idea, I just really have no idea how
> > to go about implementing this.
> > 
> I though of an additional beanShell interface in which a user defined 
> encode and decode function can supplied (maybe using the Tools-"Script 
> Manager" Interface) that then can be accessed through a right click menu 
> or (as done in the patch above) some additional buttons.

Ok, that makes some sense. The way it would be implemented would be by 
implementing the "Hook" interface, and registering it with the Script 
Manager. Triggering the Hook would be done using a menu item, hot key, etc.

Currently the Script Manager interface (well, the framework interface) 
does not really lend itself to this kind of usage, as it assumes that a 
Plugin is the root of the Hook tree, rather than some part of the user 
interface. This may not be too difficult to fix up, though.

> > > Also it would be nice to have table of parsed parameters in a GET
> > > request and a table of parsed cookie values (the screenshot of
> > > webscarab-NG displays something very similar)
> > > On these tables I would need the same right click menu as described 
> above.
> > 
> > Yes, I've had a request for something similar before. I just never
> > managed to find a good way of presenting this table. My feeling is that
> > the RequestPanel is already quite cramped vertically, and adding an
> > extra table would make the problem even worse.
> > 
> > You're welcome to give it a go, and see if you can come up with
> > anything. Unfortunately, that code in RequestPanel is pretty ugly.
> > 
> 
> You are right, the RequestPanel is quite cramped already. Since we are 
> using 1600x1200 screens there is still some room for a additional table ;-)

Right. However, I still need to consider users that are using 1024x768 
screens, too, so your changes would have to be either optional, or else 
implemented in such a way that they do not consume too much screen real 
estate for more constrained users.

> That's probably what we will try first, thinking about alternative 
> visual representations later.
> Alternativly we though of extending the table as you have done with the 
> fuzzer plugin. So we would use the same table used in POST request 
> interceptions and add another coloumn with the source of the parameter 
> (GET=Query, POST=Body, Cookie=Cookie).
> We will give it a try.

I look forward to seeing what you come up with. I make no pretense of 
being a great UI designer, as I'm sure many will attest to! ;-)

> Another addition we want to make:
> The Extensions plugin could use an ErrorString field that will be 
> evaluated when a server always returns status 200 (eg. a custom error 
> page). If the supplied string is found in the response it is rated as 
> false positive.

Yes, that would be useful. What might possibly be a good approach here 
is providing a Scripting hook so that users can provide their own custom 
implementation of a False Positive detection routine.

> > > BTW: The base64 decoder of the tools->transcoder gives me an
> > > IndexOutOfBoundsException whenever the full string is not decodeable
> > > (writing over the supplied string). Tt would be nice if the decoder was
> > > more fault tolerant and decoded at least part of the supplied string
> > > displaying the part that is not decodeable.
> > 
> > Can you give me an example, showing the text you are trying to decode,
> > as well as detailing your preferred output?
> > 
> > e.g. Trying to decode a String of "blah blah blah" gives an error. I
> > think it should give me "abcdef".
> > 
> ASP.NET and SAP Portal Server make extensive use of base64 encoded 
> parameters and some of the are "protected" by checksums.
> 
> example:
> AjExMDAgABNwb3J0YWw6RjYxMjA0NTcyMDAxiAATYmFzaWNhdXRoZW50aWNhdGlvbgEADEY2MTIwNDU3MjAw \
> MQIAAzAwMAMAA1pJUAQADDIwMDYwODAxMTEzOAUABAAAAAgKAAxGNjEyMDQ1NzIwMDH/APUwgfIGCSqGSIb3 \
> DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxMD \
> WklQAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w \
> NjA4MDExMTM4MjdaMCMGCSqGSIb3DQEJBDEWBBRQfKeRnN96VtXr5DHY+Pm7CztQHDAJBgcqhkjOOAQDBC8wLQIUQHn/2IkT0ZZVzEmd/1NG7qIF5tQCFQCAgjCcYtoi8Ajvk/zvJzmZeDhDpA \
>  
> gives me an "Exception! java.lang.RuntimeException: No linefeed found at 
> position 76" in webscarab

Right. This makes sense. I really should relax the constraints on the 
decoding algorithm, which I copied practically verbatim from the OWASP 
Common Library many moons ago ;-)

> while
> echo 
> "AjExMDAgABNwb3J0YWw6RjYxMjA0NTcyMDAxiAATYmFzaWNhdXRoZW50aWNhdGlvbgEADEY2MTIwNDU3MjA \
> wMQIAAzAwMAMAA1pJUAQADDIwMDYwODAxMTEzOAUABAAAAAgKAAxGNjEyMDQ1NzIwMDH/APUwgfIGCSqGSIb \
> 3DQEHAqCB5DCB4QIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHBMIG+AgEBMBMwDjEMMAoGA1UEAxM \
> DWklQAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0 \
> wNjA4MDExMTM4MjdaMCMGCSqGSIb3DQEJBDEWBBRQfKeRnN96VtXr5DHY+Pm7CztQHDAJBgcqhkjOOAQDBC8wLQIUQHn/2IkT0ZZVzEmd/1NG7qIF5tQCFQCAgjCcYtoi8Ajvk/zvJzmZeDhDpA" \
>  | base64 -d
> still gives me some useful info:
> 1100 portal:F61305572001basicauthenticationF61305572001000ZIP200608011138
> 1%G�%@0%G�%@0010+001%G�%@   *H   *H
> Input file incomplete.
> 060801111P|%G��%@zV%G���%@1%G����%@;P0      \
> *H%G�%@8/0-@y%G���%@U%G�%@I%G�%@SF%G����%@0b%G�%@"%G���%@'9x8C \
>  
> 
> Cheers,
> 
> Philippe

Many thanks for your comments.

Regards,

Rogan

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Owasp-webscarab mailing list
Owasp-webscarab@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/owasp-webscarab


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic