Web. Scarab-NG: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave. wichers@aspectsecurity. com OWASP App. Sec Milan Oct 2007 Web. Scarab Project Lead: Rogan Dawes rogan@dawes. za. net Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-Share. Alike 2. 5 License. To view this license, visit http: //creativecommons. org/licenses/by-sa/2. 5/ The OWASP Foundation http: //www. owasp. org/
What is Web. Scarab? <A tool for anyone involved with HTTPbased applications (e. g. web applications) <Key features 4 Full visibility into the HTTP protocol 4 Ability to modify HTTP requests in any way 4 Also supports HTTPS (incl client certs) 4 Persistent audit trail can easily be reviewed <Primary uses 4 Security analysis, Web Application debugging OWASP App. Sec Milan 2007 2
Who is writing Web. Scarab-NG? <Rogan Dawes 4 rogan@dawes. za. net 4 Lives in South Africa (Just had his first baby May 3 rd (Connor Michael Hastings Dawes), otherwise he’d be here!!) <Has been developing proxy tools for a while 4 First Mangle (in perl), then Exodus (in Java) 4 Then Web. Scarab and now Web. Scarab-NG <Currently works for Aspect Security OWASP App. Sec Milan 2007 3
What is wrong with Web. Scarab? <“Plainly put - Web. Scarab’s UI is a disaster!” – Rogan Dawes – Author of Web. Scarab OWASP App. Sec Milan 2007
Web. Scarab Deficiencies - Summary <UI – Not Intuitive <Expected UI sugar, like “right-click copy and paste menus”, etc. not available 4 Trying to retro-fit a huge task <Extensive functionality (plugins) intimidating <Close coupling between underlying data model and the presentation layer <1000 s of files Web. Scarab writes to record a session (even temporary sessions!) OWASP App. Sec Milan 2007 5
The solution: Web. Scarab-NG OWASP App. Sec Milan 2007
Web. Scarab-NG Benefits <Using Spring we get 4 tons of (Human Interface Guidelinescompliant) stuff, almost without effort • Easy internationalization of text • Automatic “copy and paste” menus • Robust command framework – automatic activation and deactivation of commands when appropriate • Intuitive separation of View from Model/Data Layer • Spring JDBC code also very easy to write OWASP App. Sec Milan 2007 7
Current Web. Scarab-NG features <Intercepting Proxy 4 Intercept and modify HTTP(S) conversations <Manual Request 4 Modify and replay requests <Flexible perspectives 4 Eclipse-like 4 Can choose which views to include <Data written to a local in-process database <Runs using Java Web Start 4 Automatic updates! <But lots of Web. Scarab Features not yet OWASP App. Sec Milan 2007 ported
Web. Scarab-NG special features <Proxy control bar 4 Stays on top 4 Drop down control of request intercept 4 Annotate the next conversation to be made <Docking framework <Validation OWASP App. Sec Milan 2007
Web. Scarab-NG – finding conversations <Select URL(s) to filter conversation list <Filter further by keyword or search (Ctrl-F) OWASP App. Sec Milan 2007
So why use the old Web. Scarab? <Reliability – extensive testing over 4 years <More features 4 Web Services support 4 Transcoder (An encoder / decoder) 4 Include/Exclude Filters 4 Reverse proxy 4 Spider 4 XSS/CRLF injection tests 4 Session ID Analysis 4 Scripting engine 4 Fuzzer 4 Advanced Search 4 SSL Client certificate support OWASP App. Sec Milan 2007
The future of Web. Scarab (-NG) < Significant new development only on –NG 4 Unless we get patches < OWASP Spring of Code 2007 4 Implementation of automated testing 4 Record and replay test cases < Reimplementation of major features 4 Spider (incl forms!) 4 Web Services 4 Reverse Proxy 4 Improved Session ID analysis 4 Scripting Engine < Automated identity tracking OWASP App. Sec Milan 2007
Q & A Questions and Answers QUESTIONS ANSWERS OWASP App. Sec Milan 2007
Скачать презентацию Web Scarab-NG Autumn of Code 2006 Project Presenter
c17a8f55a32af07776c11ebe09a32a57.ppt