WebScarab is another web proxy, full of features that may prove interesting to penetration testers. In this recipe, we will use it to spider a website.
As default configuration, WebScarab uses port 8008 to capture HTTP requests, so we need to configure our browser to use that port in localhost as a proxy. You need to follow steps similar to the Owasp-Zap and Burp Suite configurations in your browser. In this case, the port must be 8008.
http://192.168.56.102/bodgeit/
). We will see that it appears in the Summary tab of WebScarab.bodgeit
folder and select Spider tree from the menu, as shown:The summary also shows some relevant information about each particular file; for example, if it has an injection or possible injection vulnerability, if it sets a cookie, contains a form, and if the form contains hidden fields. It also indicates the presence of comments in the code or file uploads.
/bodgeit/search.jsp
, right-click on it, and select Show conversation. A new window will pop up showing the response and request in various formats, as shown in the following screenshot:In this tab, we can adjust the regular expressions of what the spider fetches using the Allowed Domains and Forbidden Domains text boxes. We can also refresh the results using Fetch Tree. We can also stop the spider by clicking on the Stop button.
WebScarab's spider, similar to the ones of ZAP and Burp Suite, is useful for discovering all referenced files in a website or directory without having to manually browse all possible links and to deeply analyze the requests made to the server and use them to perform more sophisticated tests.
3.144.46.141