WebScarab can be found in Kali's Applications menu; go to 03 - Web Application Analysis | webscarab. Alternatively, from the terminal, run the webscarab command. Proceed with the following steps:

1. Browse to the BodgeIt application of vulnerable_vm (http://192.168.56.11/bodgeit/). We will see that it appears in the Summary tab of WebScarab.
2. Now we right-click on the bodgeit folder and select Spider tree from the menu:

3. All requests will appear in the bottom half of the Summary and the tree will be filled as the spider finds new files:

The Summary also shows some relevant information about each particular file, like if it has an injection or possible injection vulnerability, if it sets a cookie, if it contains a form, and if the form contains hidden fields. It also indicates the presence of comments in the code or file uploads.

4. If we right-click on any of the requests in the bottom half we will see the operations we can perform on them. We will analyze a request, find the path /bodgeit/search.jsp, right-click on it, and select Show conversation. A new window will pop up showing the response and request in various formats:

6. Now click on the Spider tab:

In this tab, we can adjust the regular expressions of what the spider fetches by using the Allowed Domains and Forbidden Paths textboxes. We can also refresh the results by using Fetch Tree. We can also stop the spider by clicking the Stop button.