WebScarab is a powerful web application security-assessment tool. It has several modes of operation, but is mainly operated through the intercept proxy. This proxy sits between the end user's browser and the target web application, to monitor and modify the requests and responses that are being transmitted on either side. This process helps the auditor manually craft the malicious request and observe the response thrown back by the web application. It has a number of integrated tools, such as fuzzer, session ID analysis, spider, web services analyzer, XSS and CRLF vulnerability scanner, and transcoder.
To start WebScarab lite, navigate to Applications | Web Application Analysis | webscarab or, in a Terminal, type the following:
# webscarab
This will pop up the lite edition of WebScarab. For our exercise, we are going to transform it into a full-featured edition by navigating to Tools | Use full-featured interface in the menu bar. This will confirm the selection and you should restart the application accordingly. Once you restart the WebScarab application, you will see a number of tool tabs on your screen. Before we start our exercise, we need to configure the browser to the local proxy (127.0.0.1, 8008) in order to browse the target application via the WebScarab intercept proxy. If you want to change the local proxy (IP address or port), navigate to the Proxy | Listeners tab. The following steps will help you analyze the target application's session ID:
- Once the local proxy has been set up, you should browse to the target website (for example, http://192.168.0.30/mutillidae) and visit as many links as possible. This will increase the probability of catching any known and unknown vulnerabilities. Alternatively, you can select the target under the Summary tab, right-click, and choose Spider tree. This will fetch all of the available links in the target application.
- If you want to check the request and response data for the particular page mentioned at the bottom of the Summary tab, double-click on it and you can see the parsed request in a tabular and raw format. However, the response can also be viewed in HTML, XML, text, and hex formats.
- During the test period, we may decide to fuzz one of our target application links that have the parameters (for example, artist=1) with the GET method. This may reveal any unidentified vulnerability, if it exists. Right-click on the selected link and choose the Use as fuzz template. Now, click on the Fuzzer tab and manually apply different values to the parameter by clicking on the Add button near the Parameters section. In our case, we wrote a small text file listing the known SQL injection data (for example, 1 AND 1=2, 1 AND 1=1, and single quote (')), and provided it as a source for the fuzzing parameter value. This can be accomplished using the Sources button under the Fuzzer tab. Once your fuzz data is ready, click on Start. After all tests are complete, you can double-click on an individual request and inspect its response. In one of our test cases, we discovered a MySQL injection vulnerability:
- Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
- Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/default/htdocs/ listproducts.php on line 74
- In our last test case, we decided to analyze the target application's session ID. For this purpose, go to the SessionID Analysis tab and choose Previous Requests from the combo box. Once the chosen request has been loaded, go to the bottom, select samples (for example, 20), and click on Fetch to retrieve various samples of session IDs. After that, click on the Test button to start the analysis process. You can see the results on the Analysis tab and the graphical representation on the Visualization tab. This process determines the randomness and unpredictability of session IDs, which could result in hijacking other users' sessions or credentials.