problen setting up WebScarab

[Dave]

Hi there,

I'm having some problem setting up WebScarab to work with the owaspbwa, so that i can use it during my WebGoat training. I was wondering if someone would help me out in this area... so that i can get things going... The WebScarab docs only talk about setting up proxy for WebGoat running on localhost.. not the way that owaspbwa has things set up.

Your help is greatly appreciated.
Thank you,
Dave

[ryan tierney]

Webscarab should be set up locally in your browser. It will intercept all traffic that runs through it, meaning any web site you visit local or remote. It doesn't make a difference if web goat is running on your local machine or a server. I hope this helps.

Ryan Tierney (Gh0$7)
BSIT/ISS
Security+
C | EH
OSCP

[Chuck Willis]

Yep, WebScarab will be running on the same machine where you are
"attacking" from, so in your browser proxy settings, you will still
use 'localhost'. You can find some details on the setup for different
browsers at:

Firefox: http://travisaltman.com/webscarab-tutorial-part-1-learning-the-basics/
Internet Explorer: https://www.owasp.org/index.php/WebScarab_Getting_Started

Both of those pages are a little old, however, so the look of the
browser proxy configuration dialog boxes may have changed, but the
idea is the same.

If you are new to web application pen testing, a couple things to consider:

1. OWASP Zed Attack Proxy (ZAP) is (IMO) easier to use than WebScarab
and is being more actively developed. I believe it lacks a couple of
the more advanced WebScarab features, but it is rapidly adding new
features (and now has a plugin architecture). You can find tutorial
videos on it at https://code.google.com/p/zaproxy/wiki/Videos. I'd
recommend learning with ZAP rather than WebScarab.

2. There are a variety of LiveCD and VMs available that have attack
tools already installed and configured for you if you don't want to do
the configuration yourself. I'd recommend BackTrack Linux
(http://www.backtrack-linux.org/), which is available as either a
LiveCD or a VMware machine. OWASP has a LiveCD, but it is quite
dated.

Good luck!

Chuck

[Vacheh David Sardarian]

Thank you for the help. Your suggestion really helped and also for some reason when i installed WebScarab in my Ubuntu box... it ran as a WebScarab Lite, instead of the full/regular WebScarab version. So I just went to one of the menu buttons and asked it to resent to regular WebScarab upon resetting the program.

Also, just a side note, I submitted a bug and a feature request.. I was wondering what's the turn around time for at least someone from the dev groups to take a look at the submitted reports.

Thank you,
Dave.

[Chuck Willis]

Running as WebScarab Lite is a "feature" designed to make WebScarab
easier to use for beginners. Glad to hear that you found the option
to get the full interface.

As for the WebScarab bug and feature requests, where did you submit
those? I am not aware of a place to report those other than the
WebScarab mailing list
(https://lists.owasp.org/mailman/listinfo/owasp-webscarab). Rogan
(the WebScarab project lead / developer) is usually pretty quick to
respond to posts on that list.

Chuck

[Matt Fisher]

I haven't looked at WebScarab in like a decade (literally?) but at first glimpse of the screenshot on the project page it looks alot like Burp ... if one gives you trouble you could probably use the other if you have to get a project going ...

-M

[Vacheh David Sardarian]

Oh, i didn't mean WebScarab bug and features... I meant OWASP-BWA bug and feature request. And i submitted to the reporting page that was mentioned in one of the owaspbwa support pages.

-Dave

[Chuck Willis]

Oh, ok. Thanks for the clarification.

I found the items you submitted on SourceForge. We actually don't use
those trackers (and I don't get email notifications when people submit
items so I hadn't seen them). I had disabled the trackers in the
SourceForge configuration some time ago, but it appears that something
re-enabled them. I've disabled the trackers again in order to prevent
confusion and moved the items you submitted into our actual bug /
enhancement tracker on Google Code at
https://code.google.com/p/owaspbwa/issues/list. Sorry for the mix up.

As for the specific issues, I put responses to them in each issue in
Google Code. Thanks for bringing them to my attention and I'll try to
get something figured out for them soon.

Chuck

On Fri, Sep 7, 2012 at 6:23 PM, Vacheh David Sardarian

[Vacheh David Sardarian]

Thank you. I'll take a look at the google code section, and looking forward in hearing from you regarding any possible fix. Also I was wondering if you also looked at the feature request that I also submitted. It is regarding the addition of android webgoat suite. I was wondering if it could be added to the bwa on its next release.
Also I was wondering if you could just delete the trackers altogether, just to prevent it from being enabled again in the future.

Thank you.
-Dave

[Chuck Willis]

I looked into the error you reported a bit more. What is happening
are some SVN conflicts due to changes in the OWASP ESAPI SwingSet
Interactive project (which I also had to make minor changes to in
order to get it to work on the VM). If you get past that, there are
also conflicts when the owaspbwa-update-all.sh script tries to update
WebGoat.NET from it's GIT repository.

Those update scripts are for "living on the edge" and are frequently
going to encounter these types of issues, especially as more time
passes after the release of a VM. You are also at the mercy of the
developers for the project you are updating... the code in their
repository may not be working (maybe they are in the middle of a
rewrite, for example). What I may do is add some prompts into that
script to allow the user to choose whether to update each component...
at least then if you find that one component is having issues, then
you could skip that one. Unfortunately, by the time you find out that
there is an issue, you've probably already broken that app since it
has partially updated and may no longer compile / run properly.
Fortunately, it is a VM so you can revert to an earlier state.

In the short term, I was able to get the script to work by skipping
the updates to those two components. That is, you can edit
/usr/local/bin/owaspbwa-update-all.sh and comment out (add a # to the
beginning of) the following two lines:
- Line 71 ("svn update /owaspbwa/owasp-esapi-java-swingset-interactive-svn")
- Line 81 ("git pull" under the update for webgoat.net)

Once this above changes are made, then run owaspbwa-update-all.sh and
everything looks to run smoothly. At this point, however, it doesn't
appear that there are any updates to the other components, so this
doesn't gain you anything. If there are updates to something like
DVWA or WebGoat (for Java) before the next OWASPBWA release, though,
then this would get you those.

I included the GoatDroid item in the issues on Google Code as well:
https://code.google.com/p/owaspbwa/issues/detail?id=68. As far as I
know, there is not a server side component to GoatDroid at this time,
it is all code that runs on the device / emulator itself. If I'm
missing something, though, let me know. I'll continue to keep an eye
on that project.

I just looked at the similar iOS project iGoat. They do have a server
side component (written in Ruby). I've opened a new enhancement
request to include that on the VM.

Unfortunately I've got limited control over the stuff on SourceForge
and don't have an option to completely remove the trackers, etc. They
went through some significant upgrades and that is probably when those
things got re-enabled. I'll keep an eye out for any future
announcements from them.

Chuck

On Wed, Sep 12, 2012 at 1:05 AM, Vacheh David Sardarian

[Mohamed Faizal]

hi i  need webscarab lite version i dont have idea to download it please inform me from where i can download it