Vanstechelman.eu
 
Home » Security
  

Using the WebScarab bean shell to modify requests/responses

Description of WebScarab taken from the OWASP WebScarab project website:
"WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab."
WebScarab also has a function called the "bean shell". This allows for the execution of arbitrarily complex operations on requests and responses. Anything that can be expressed in Java can be executed.
The following code example shows how you can change all requests from "www.google.be" to "www.google.com":

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import org.owasp.webscarab.model.HttpUrl;
import java.io.IOException;


public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {
   String url = request.getURL().toString();
   url = url.replace("www.google.be", "www.google.com");
   httpurl = new HttpUrl(url);
   request.setURL(httpurl);
   return nextPlugin.fetchResponse(request);
}

The following code will go through all headers received in the response and will delete the 'Set-Cookie' headers for cookie-names starting with __utm. The purpose is to not cache the __utma and the __utmz cookies in the browser.

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.NamedValue;

import java.io.IOException;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {
   response = nextPlugin.fetchResponse(request);
   String nvName;
   String nvValue;
   int counter=0;

   NamedValue[] nv = response.getHeaders();
   NamedValue[] newNV = new NamedValue[nv.length];
   for(int i=0; i < nv.length; i++)
   {
      nvName = (nv[i]).getName();
      nvValue = (nv[i]).getValue();
      if (!(nvName.startsWith("Set-Cookie") && nvValue.startsWith("st8id")))
      {
         newNV[counter]=new NamedValue(nvName, nvValue);
         counter++;
      }
   }

   NamedValue[] responseHeaders = new NamedValue[counter];
   for(int i = 0; i < counter; i++)
      responseHeaders[i] = newNV[i];
   response.setHeaders(responseHeaders);

   return response;
}

Request and Response methods

Request methods that you may use are:

  • String getMethod()
  • void setMethod(String method)
  • HttpUrl getURL()
  • void setURL(HttpUrl url)
  • void setURL(String url) throws MalformedURLException
  • String getVersion()
  • void setVersion(String version)

Response methods that you may use are:

  • String getVersion()
  • void setVersion(String version)
  • String getStatus()
  • void getStatus(String status)
  • String getMessage()
  • void setMessage(String message)
  • String getStatusLine()

The following methods are common to both the Request and Response objects:

  • String[] getHeaderNames()
  • String getHeader(String name)
  • void setHeader(String name, String value)
  • void addHeader(String name, String value)
  • void deleteHeader(String name)
  • NamedValue[] getHeaders()
  • void setheaders(NamedValue[] headers)
  • byte[] getContent()
  • void setContent(byte[] content)

References
© Copyleft 2005-2011 - Lode Vanstechelman - Login