Example of Scripting OWASP WebScarab: The Poor-Man’s Client-Side mod_rewrite

OWASP’s WebScarab is a Java-based web proxy.  We use it quite a bit in our web application security assessments and training classes.  It also comes in handy as a debugging tool when building web applications.

This weekend I was having problems with a misconfigured off-the-shelf web application that was rendering URLs incorrectly on the server side.  It was sending back bad URLs for the included images and stylesheets, causing the pages to render incorrectly and basically making the site unusable.  If I had all sorts of time on my hands perhaps I would do something like “go and find the root cause and actually fix the underlying problem”  Since I’m kind of lazy and was in a bit of a time crunch I decided to just write a quick script in WebScarab to rewrite the URLs on the client side.  That way the request URLs get changed before they reach the server side, the server sends back the proper resources and the site works like it should.

I didn’t want to rewrite all of the request URLs because the ones for dynamic content were being rendered correctly.  I only wanted to modify the ones for static HTML/image/stylesheets.  So…  if the server tells the browser to request:

/cgi-bin/cgi.exe/application/html/images/logo.gif

what I actually want to request is:

/html/images/logo.gif

Below is the code I used.  To make it work you should just have to set the stringToFind and stringToReplace variables.

/* Please read the JavaDoc and/or the source to understand what methods are available */

import org.owasp.webscarab.model.Request;

import org.owasp.webscarab.model.Response;

import org.owasp.webscarab.httpclient.HTTPClient;

import org.owasp.webscarab.model.HttpUrl;

import java.io.IOException;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {

 

  //   TODO – Update these strings for the desired replacement

  String stringToFind = “/cgi-bin/cgi.exe/application/html”;

  String stringToReplace = “/cgi-bin/cgi.exe/application”;

 

  String originalUrl = request.getURL().toString();

 

  if(originalUrl != null) {

    int startIndex = originalUrl.indexOf(stringToFind);

    if(startIndex >= 0) {

      String newUrlStart = originalUrl.substring(0, startIndex);

      String newUrlEnd = originalUrl.substring(startIndex + stringToReplace.length());

      String newUrl = newUrlStart + newUrlEnd;

     

      request.setURL(new HttpUrl(newUrl));     

    } else {

      //  No need to rewrite the URL

    }

  }

  response = nextPlugin.fetchResponse(request);

  return response;

}

This code gets placed in the Proxy -> Bean Shell tab and you click Commit to enable it.  Worked like a champ.

Contact us for help getting the most out of OWASP tools.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

3 Responses to “Example of Scripting OWASP WebScarab: The Poor-Man’s Client-Side mod_rewrite”

  1. Rogan Dawes

    Nice work! That is one of the reasons that I added the scripting support, so that people could do things that are not easily expressed in other ways. While this particular use case could have been satisfied by a simple match/replace, the scripting feature gives the ability to do so much more as well!

    Thanks for writing it up!

  2. web proxy

    Good answer back in return of this matter with genuine arguments and describing all about that.

Leave a Reply

Your email address will not be published. Required fields are marked *