[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-webscarab
Subject: Re: [Owasp-webscarab] Scripter Plugin Scripting Help
From: Rogan Dawes <lists () dawes ! za ! net>
Date: 2006-11-15 22:59:17
Message-ID: 455B9BC5.4030407 () dawes ! za ! net
[Download RAW message or body]
Jason Trinklein wrote:
>
> I'm attempting to write a basic script that automatically looks for
> certain fields in all outgoing HTTP requests through webscarab, and
> replaces the form data with something else, whether it be a static
> string, something pulled in from a file, or generated. I don't
> understand the API for webscarab or the scripter. How do I make such a
> change to an outgoing http request, and have it continually monitor the
> requests, making changes as necessary? What functions do I call?
>
> Thank you!
> -Jason Trinklein
There are two places in which you can implement this script, the
Proxy->BeanShell, and via the Script Manager. They are mostly
equivalent, although the way in which you get access to the request and
the response differ a bit.
The major difference is that you don't have access to the Response in
the same script execution, if you use the Script Manager (you'll see why
this is). So, if you want to make changes in the response, based on
something you did to the request, it gets a little trickier using the
Script Manager.
For your purposes, both should be equally effective. The other
difference is that scripts that you create via the Script Manager are
persistent. i.e. they will survive across invocations of WebScarab,
while the Proxy->BeanShell scripts are not, and simply get forgotten.
First example using Proxy->BeanShell:
/* Please read the JavaDoc and/or the source to understand what methods
are available */
/* You can also use the online help, check the Appendix section */
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.NamedValue;
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import java.io.IOException;
public Response fetchResponse(HTTPClient nextPlugin, Request request)
throws IOException {
String query = request.getURL().getQuery();
if (query != null) {
String[] params = NamedValue.splitNamedValues(query, "&", "=");
boolean changed = false;
for (int i=0; i<params.length; i++) {
if (params[i].getName().equals("myParam")) {
// do something
// note that NamedValue instances are immutable
// create a new one with the same name and the new value
params[i] = whatever;
changed = true;
}
}
if (changed) {
// reconstruct the URL
// concatentate each NamedValue together with "&" and "="
// yes, this should be a utility method! Patches welcome
query = whatever; // the concatenation
HttpUrl newUrl = new HttpUrl(url.getSHPP()+query);
request.setURL(newUrl);
}
}
response = nextPlugin.fetchResponse(request);
throw new IOException("Request rejected");
return response;
}
The equivalent script as a ScriptManager script, attached to the
Proxy->Intercept Request hook:
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.NamedValue;
import org.owasp.webscarab.model.Request;
import java.io.IOException;
Request request = connection.getRequest(); // this is only a copy!
// this next part is identical to the previous script
String query = request.getURL().getQuery();
if (query != null) {
String[] params = NamedValue.splitNamedValues(query, "&", "=");
boolean changed = false;
for (int i=0; i<params.length; i++) {
if (params[i].getName().equals("myParam")) {
// do something
// note that NamedValue instances are immutable
// create a new one with the same name and the new value
params[i] = whatever;
changed = true;
}
}
if (changed) {
// reconstruct the URL
// concatentate each NamedValue together with "&" and "="
// yes, this should be a utility method! Patches welcome
query = whatever; // the concatenation
HttpUrl newUrl = new HttpUrl(url.getSHPP()+query);
request.setURL(newUrl);
}
}
// now "commit" our changes
connection.setRequest(request);
Hope this has helped.
If not, post your script to the list, and I'll take a look at it.
Rogan
_______________________________________________
Owasp-webscarab mailing list
Owasp-webscarab@lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-webscarab
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic