Editor: There is no shiny red button on WebScarab
, it is a tool primarily designed to be used by people who can write code themselves, or at least have a pretty good understanding of the HTTP protocol. If that sounds like you, welcome! Download WebScarab
, sign up for the mailing list on the OWASP subscription page, and enjoy! You can read a Brief tutorial to explain the basic workings.
is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
A framework without any functions is worthless, of course, and so WebScarab
provides a number of plugins, mainly aimed at the security functionality for the moment. Those plugins include:
Fragments - extracts Scripts and HTML comments from HTML pages as they are seen via the proxy, or other plugins
Proxy - observes traffic Between the browser and the web server. The WebScarab
proxy is able to observe both HTTP and encrypted HTTPS traffic, by negotiating an SSL connection between WebScarab
and the browser instead of simply connecting the browser to the server and allowing an encrypted stream to pass through it. Various proxy plugins have also been developed to allow the OperaTor to control the requests and responses that pass through the proxy.
Manual intercept - allows the user to modify HTTP and HTTPS requests and responses on the fly, before they reach the server or browser.
BeanShell - allows for the execution of arbitrarily complex operations on requests and responses. Anything that can be expressed in Java can be executed.