Web Scarab offers the tester a wealth of functionality, but it has a dual learning curve. To use it, 1) you really have to understand the HTTP protocol quite well (including POST) and 2) you need to spend time familiarizing yourself with it. Neither the user interface nor the features themselves are completely straightforward. For those of you familiar with hand tools, it's a lot like a pipe wrench – not exactly the simplest tool to use correctly, but well worth learning how to use!
The application opens in "simple interface" mode, where most of the functionality is hidden:
The primary feature of WebScarab in this mode is acting as a proxy—the application can sit between your web browser and the target web server, intercepting HTTP messages and allowing you to examine the communications at the packet/message level.
This mode is extremely valuable for several tasks:
- Reviewing the data traveling between client (web browser) and server. This can help debug issues, allowing the tester to provide much more detailed defect reports.
- Modifying the requests from the client, allowing you to work around client-side security and prove the web server's data validation is functional.
- Modifying the requests from the client, allowing you to go to work testing the server's security stance, including cross-site scripting, SQL injection, and sheer fuzz testing.
By switching to full-featured interface, you can really take advantage of all of Web Scarab's functionality.
You can spend days really getting to know Web Scarab's advanced features and when to use them. For the purpose of this ATE, let's drill down on a couple of them.
The first feature we'll look at is the "SessionID Analysis" feature. This mode gives you information regarding the randomness of a sessionID received from a web server. Most web applications, including AJAX applications, generate a sessionID token when the user makes an initial request. This token is used to store session state information, and to secure the user's session, the sessionID cannot be easily guessed. WebScarab's SessionID analysis feature provides statistical analysis of the randomness of generated sessionIDs.
Another great feature of WebScarab is the parameter fuzzer. Fuzz testing is a mode of testing where input is 'stretched' well beyond expected content. The parameter fuzzer is a semi-automated tool which allows the tester to specify various data to be used for fuzz testing paramaters in a web application. These tests expose incorrect or insufficient data validation on the server side, discovering a host of security-related issues.
As with all tools, the best way to learn to use WebScarab is to install it and drill into the functionality. The OWASP site has a great tutorial on using WebScarab, too.
This was first published in August 2010