In a previous article, I have presented the TCP/IP Monitor in Eclipse, in this article, I will present a other proxy tool named Webscarab, its installation and its basic use by the configuration of a local proxy.
WebScarab is a tool and a framework for analysing applications that communicate using the HTTP and HTTPS protocols, it is designed for Web security professionals and Web developers. This tool records the conversations (requests and responses) and allows the user to view the traffic between the Web browser and server, and modify it in transit. WebScarab is intended to become the tool of choice for serious Web debugging.
Download WebScarab
WebScarab is downloadable on the SourceForge pages: http://sourceforge.net/projects/owasp/files/WebScarab/. I have downloaded the following version webscarab-installer-20070504-1631.jar
Install the software by double clicking on this file; installation should start automatically. If installation does not start automatically, it may be because your Windows does not know yet how to execute a .jar file. If so, tell Windows how to do this: Right click on the .jar file, choose Open With / Choose Program and then choose the file javaw.exe in the Java installation directory on your computer (e.g. C:\Program Files\Java\jre1.6.0_02\bin), and check „Always use the selected program to open this kind of file“ or similar:
Choose an installation place (in our example C:\MyFiles\Development\Java\tools\WebScarab)
Use WebScarab
After installation, start WebScarab by double clicking on a shortcut or by double clicking on the .jar in the directory where you installed WebScarab (in our example: C:\MyFiles\Development\Java\tools\WebScarab). WebScarab should like like this:
Configuration
1) Set your external proxy in WebScarab
For that, the proxy configuration consists of configure the proxy to which will redirected/forwarded the queries received by the “local proxy”.
This proxy is depends on your current network location: It may be the proxy of your company, or your home ISP, or none at all (in the latter case, you can
just skip this step):
In the following example, from Internet Explorer browser: in first example, there is no proxy, and in the second, all requests go through a proxy xxxxx on port 8082:
So, it is possible to configure several address, these are server’ addresses for which the communications/queries don’t be forwarded to the proxy by the “local proxy”:
As we use no proxy, so the filling of this screen could be:
Check the “Intercept requests” checkbox in “Intercept ” tab in WebScarab:
2) Set WebScarab as internal proxy in your browser
Now we need to tell the browser that, for the duration of using WebScarab, it should no longer use its usual external proxy, but instead use WebScarab as its proxy (“local proxy”). So, the queries in the browser will be routed to the configured proxy (local proxy). I show how to do this for the Firefox and Internet Explorer browsers (for other browsers, such as Chrome, Opera or Safari, you should easily find this out yourself):
Firefox:
Please go to the following place:Tools / Options / Advanced / Network / Connection / Settings
Please enter localhost as the HTTP proxy, and 8008 as the port. Make sure that localhost does not(!) appear in the “No Proxy for” list:
Internet Explorer:
Please go to the following place: Tools / Internet Options / Connections / LAN Settings
Check “Use a proxy server for your LAN” and uncheck “Bypass proxy server for local addresses”:
Use and tests
Test n°1:
Open a new tab, go to www.google.fr site, then in WebScarab, click several times on the “Accept changes” button in order to accept the queries coming from browser. In our simple example, there are 2 queries: first to download the site www.google.fr and the second for the PNG image:
Test n°2:
Open a new tab, go to www.javablog.fr site, then in WebScarab, click on the button “Abort request” in order to abort the query coming from browser:
Test n°3:
Open a new tab, go to http://translate.google.fr/ site, then in WebScarab, check the “Intercept responses” checkbox to allow the edition of response from requested site. The response could be also accepted or aborted like request, and displayed in the Text, XML, HTML formats in WebScarab:
Test n°4:
Following, edition of an ajax request/response:
In our examples, the version “webscarab-installer-20070504-1631.jar” of WebScarab.
You really make it seem so easy together with your presentation however
I to find this matter to be really one thing that I feel I might by no means understand.
It kind of feels too complex and very vast for me.
I am looking ahead for your subsequent submit, I will attempt to get the dangle of it!