webscarab. webscarab was written by rogan dawes and is available through the owAsP website. if you are running Backtrack, a version of webscarab is already installed. this powerful framework is modular in nature and allows fIGURE 5.3
Entering a Target in the Websecurify Start Test Window.
fIGURE 5.4
you to load numerous plug-ins to customize it to your needs. even in its default configuration, webscarab provides an excellent resource for interacting with and interrogating web targets.
After having run the vulnerability scanners, nikto and websecurify, the next logical step is to run a spidering program on the target website. spiders are extremely useful in reviewing and reading (or crawling) your target’s website looking for all links and associated files. each of the links, web pages, and files discovered on your target are recorded and cataloged. this cataloged data can be useful for accessing restricted pages and locating unintentionally disclosed documents or information.
You can access the spider function in webscarab by first starting the program through the k-start dragon. this can be accomplished by clicking: k-start dragon → Backtrack → web Application Analysis → web (front end) → webscarab lite.
this will load the webscarab program. However, before you can begin spider- ing your target, you will need to switch to the “full-featured interface.” You can do this by clicking on the “tools” menu and putting a checkbox in the “Use full-featured interface” checkbox as shown in figure 5.5.
After switching to the full-featured interface, you will be prompted to restart webscarab. once you restart the tool, you will be given access to a number of new panels along the top of the window including the “spider” tab.
now that you have set up webscarab, you need to configure your browser to use a proxy. setting up webscarab as your proxy will cause all the web traf- fic going into and coming out of your browser to pass through the webscarab program. in this respect, the proxy program acts as a middle man and has the ability to view, stop, and even manipulate network traffic.
setting up your browser to use a proxy is usually done through the prefer- ences or network options. in firefox, you can click on: edit → Preference. in the firefox Preferences window, click the “Advanced” menu followed by the “network” tab. finally, click on the “settings” button as shown in figure 5.6. clicking on the settings button will allow you to configure your browser to use webscarab as a proxy. select the radio button for “manual proxy configura- tion:”. next enter: 127.0.0.1 in the “HttP Proxy:” input box. finally enter: 8008
fIGURE 5.5
into the “Port” field. it is usually a good idea to check the box just below the “HttP Proxy” box and select “Use this proxy server for all protocols.” once you have all of this information entered, you can click “ok” to exit the connection settings window and “close” to exit the firefox Preferences window. figure 5.7 shows an example of my firefox connection settings window.
At this point, any web traffic coming into or passing out of your browser will route through the webscarab proxy. two words of warning: first you need to fIGURE 5.6
Setting Up Firefox to Use WebScarab as a Proxy.
fIGURE 5.7
leave webscarab running while it is serving as a proxy. if you close the pro- gram, you will not be able to browse the internet. if this happens, firefox is great at providing you with an error message that it cannot find a proxy and you will need to restart webscarab or change your network configura- tion in firefox. the second warning is that while surfing the internet using a local proxy, all https traffic will show up as having an invalid certificate! this is expected behavior because your proxy is sitting in the middle of your connection.
As a side note, it is important that you always pay attention to invalid security certificates when browsing. At this point, certificates are your best defense and often your only warning against a man-in-the-middle attack.
now that you have set up a proxy and have configured your browser, you are ready to begin spidering your target. You begin by entering the target Url into the browser. in our earlier example, we discovered a website running on 172.16.45.132. entering the following into your firefox browser will load the website through webscarab. once the website has loaded in your browser, you can switch over the webscarab program. You should see the Url you entered (along with any others that you have visited since starting your proxy). to spider the site, you right click the Url and choose “spider tree” as shown in figure 5.8. You can now view each of the files and folders associated with your target web- site. individual folders can be further spidered by right clicking and choosing “spider tree” again. You should spend time carefully examining every nook and cranny within your authorized scope. spidering a website is a great way to find inadvertently or leaked confidential data from a target website.
fIGURE 5.8