• Home
• Topics
• Topics Archive
• Software Quality Resources
• What open source security tools experts stand by

What open source security tools experts stand by

Requires Free Membership to View

Login



When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.

Hannah Smalltree, Editorial Director

• E-mail Address: 

By submitting your registration information to SearchSoftwareQuality.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSoftwareQuality.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Web Scarab offers the tester a wealth of functionality, but it has a dual learning curve. To use it, 1) you really have to understand the HTTP protocol quite well (including POST) and 2) you need to spend time familiarizing yourself with it. Neither the user interface nor the features themselves are completely straightforward. For those of you familiar with hand tools, it's a lot like a pipe wrench – not exactly the simplest tool to use correctly, but well worth learning how to use!

The application opens in "simple interface" mode, where most of the functionality is hidden:

The primary feature of WebScarab in this mode is acting as a proxy—the application can sit between your web browser and the target web server, intercepting HTTP messages and allowing you to examine the communications at the packet/message level.

This mode is extremely valuable for several tasks:

• Reviewing the data traveling between client (web browser) and server. This can help debug issues, allowing the tester to provide much more detailed defect reports.
• Modifying the requests from the client, allowing you to work around client-side security and prove the web server's data validation is functional.
• Modifying the requests from the client, allowing you to go to work testing the server's security stance, including cross-site scripting, SQL injection, and sheer fuzz testing.

By switching to full-featured interface, you can really take advantage of all of Web Scarab's functionality.

You can spend days really getting to know Web Scarab's advanced features and when to use them. For the purpose of this ATE, let's drill down on a couple of them.

The first feature we'll look at is the "SessionID Analysis" feature. This mode gives you information regarding the randomness of a sessionID received from a web server. Most web applications, including AJAX applications, generate a sessionID token when the user makes an initial request. This token is used to store session state information, and to secure the user's session, the sessionID cannot be easily guessed. WebScarab's SessionID analysis feature provides statistical analysis of the randomness of generated sessionIDs.

Another great feature of WebScarab is the parameter fuzzer. Fuzz testing is a mode of testing where input is 'stretched' well beyond expected content. The parameter fuzzer is a semi-automated tool which allows the tester to specify various data to be used for fuzz testing paramaters in a web application. These tests expose incorrect or insufficient data validation on the server side, discovering a host of security-related issues.

As with all tools, the best way to learn to use WebScarab is to install it and drill into the functionality. The OWASP site has a great tutorial on using WebScarab, too.

Dig Deeper

This was first published in August 2010

More from Related TechTarget Sites

• SOA
• Java
• Windows Development
• Oracle
• Cloud computing
• Business Analytics

• SOA

  • App integration advisory: Use ESBs for message routing, translation

    Middleware experts advise that an ESB can help a SOA, but it can be harmful if used in the wrong cases.

  • How will mainframes fare in the face of mobile and Web?

    Heard at IBM Impact: Mainframes mean high-integrity transactions. How does this jibe with mobile apps using ''eventually consistent'' transactions?

  • Is REST remaking SOA? Gateways add features

    Lightweight REST-based SOA is beginning to exist aside established enterprise SOA. Crosscheck’s Mamoon Yunus discusses the trend.

• Java

  • Scaling up and scaling out to meet new business demands

    Scaling up and scaling out are two ways for growing businesses to increase productivity, but doing so blindly may be more costly than it's worth.

  • On-demand computing models support Web application scalability

    The on-demand nature of cloud computing has put scalable Web applications within easy reach for businesses of all sizes.

  • Automate Web server load balancing for high scalability

    Automating Web server load balancing tasks provides high scalability for enterprise applications.

• Windows Development

  • Where can I find Visual Basic 6.0 DataEnvironment code samples?

    Get information on the best places to find Visual Basic DataEnvironment 6.0 code samples.

  • Testing methods in Visual Studio 2010

    This is the second part in a two part series on unit testing in Visual Studio 2010.

  • Unit testing in Visual Studio 2010

    Visual Studio 2010 contains a unit testing framework, and I’ll show you how to use it to automate your own unit tests.

• Oracle

  • Midmarket companies find JD Edwards upgrades a good fit

    At some point, your JD Edwards shop will have to decide whether to switch to a different product, upgrade or stay where you are. Learn what two other organizations did when working through JD Edwards upgrades.

  • Jury issues partial verdict in Oracle vs. Google Java lawsuit

    The jury has issued a partial verdict in the copyright phase of the Oracle vs. Google lawsuit, in which Oracle is claiming that Google violated Java patents and copyright with its Android mobile operating system.

  • Support of Oracle customizations

    Sebastian Grady, president of Oracle third-party support firm Rimini Street, explains how Oracle does not support Oracle software customizations.

• Cloud computing

  • Azure’s identity crisis and other cloud computing sound bites

    Microsoft Azure wants to be called Loretta. No, that’s not true. Or is it? Find out that answer and other news overheard in the cloud this past week.

  • Is PaaS just another four-letter word in cloud computing?

    PaaS is a quick fix for companies looking to deploy new apps, but established firms with legacy apps may consider it a dirty word.

  • PaaS selection starts at the programming language

    The PaaS market is growing without a single leader or approach. Picking a model should involve more than just saying, ‘Eeney, meeney, miney, moe.’

• Business Analytics

  • On the go the way to go? Answer lies with building mobile BI business case

    According to a recent Gartner survey, mobile technology is the second most important priority for CIOs in 2012, but building the business case is easier said than done.

  • Basic vs. complex: Companies walk the line on analytics best practices

    Businesses looking to build effective business intelligence and analytics programs have to toe the line between focusing on the basics and using new technology to build more complex BI systems.

  • Real estate company refines, expands geographic information system

    Marcus & Millichap shakes off its archaic data cleansing and analytics system for more automated processes, enabling the firm to explore its data on a more granular level.

• About us
• Contact us
• Site index
• Privacy policy
• Advertisers
• Business partners
• Events
• Media kit
• TechTarget corporate site
• Reprints
• Site map