owasp / owasp-webscarab Goto Github PK

This looks like pretty outdated repo, but if you are there listening, someone needs to open Gate 3.... sorry, someone needs to add a build process so that i can rebuild webscarab and add my own server.p12 file using these instruction: https://www.owasp.org/index.php/WebScarab_SSL_Certificates

Now the groupId to use is: "com.jolira"

I encountered a weird locking-related issue that leads to high CPU load under certain conditions. Both http and https are affected.

1. Set Firefox 19 to use the webscarab proxy
2. Open http://www.youtube.com/watch?v=Sb5aq5HcS1A and start playing flash (since I use NoScript, I have to click to start)
3. After flash started playing for a few seconds (1-2?), look in the webscarab console. You see a lot messages that mention that a lock could not be acquired. (you can close the youtube tab after some seconds, this saves you from more flooding your console)

Obviously, this is bad. One browser request should not freeze WS. I tried reproducing this case with a page containing 200 links and a page containing 5 iframes to the previous page with 200 links. That did not expose the issue. For now you have to use youtube (more specific, the flash player) to reproduce it.

The branch I use for debugging this issue: https://github.com/Lekensteyn/OWASP-WebScarab/tree/lock-debug. I added some colored debug prints and observed:

• Reads are always allowed when no writer is active
• That leads to starvation, until all readers are done, no writer can continue.

A quick look at the involved locks make me think that locks are used for:

• synchronizing access to the Swing model (multiple models?)
• synchronizing access to the filesystem writer
• (I probably missed some)

My questions:

• Why are the model locks necessary? Isn't it only necessary when actually writing to the swing model? (can you explain the rationale and ideas behind the framework structure?)
• If the locks are necessary for swing, could it be made more concurrency friendly by grouping changes when swing is available to receive data? (pardon my ignorance with swing, I have only worked very briefly with it)

While working on this issue, consider moving to java.utils.concurrent as recommended by the author of the concurrency classes.

I get this error message when starting WebScarab on Windows 7:

Error instantiating the PKCS11 provider
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at org.owasp.webscarab.httpclient.AbstractCertificateRepository.initPKCS11(AbstractCertificateRepository.java:163)
    at org.owasp.webscarab.httpclient.SSLContextManager.<init>(SSLContextManager.java:55)
    at org.owasp.webscarab.httpclient.HTTPClientFactory.<init>(HTTPClientFactory.java:77)
    at org.owasp.webscarab.httpclient.HTTPClientFactory.<clinit>(HTTPClientFactory.java:55)
    at org.owasp.webscarab.plugin.Framework.configureHTTPClient(Framework.java:379)
    at org.owasp.webscarab.plugin.Framework.<init>(Framework.java:100)
    at org.owasp.webscarab.WebScarab.main(WebScarab.java:118)
Caused by: java.security.ProviderException: Error parsing configuration
    at sun.security.pkcs11.Config.getConfig(Config.java:88)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:128)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107)
    ... 11 more
Caused by: sun.security.pkcs11.ConfigurationException: Absolute path required for library value: lib/p11-capi.dll
    at sun.security.pkcs11.Config.parseLibrary(Config.java:681)
    at sun.security.pkcs11.Config.parse(Config.java:398)
    at sun.security.pkcs11.Config.<init>(Config.java:220)
    at sun.security.pkcs11.Config.getConfig(Config.java:84)
    ... 13 more

I was able to fix the issue in SSLContextManager.java with this change:

initPKCS11("P11-CAPI", new File(".").getAbsolutePath() + "/lib/p11-capi.dll", 0, "");

Today have support for xml, html hex and raw

I tried to configure Webscarab in Mozilla Firefox Settings (latest Version 121) .However , it did not work . As I could not connect to the internet after configuring Mozilla version 121 . Does Webscarab even work with Mozilla latest version 121 ? There is no answer to this question in Google. That is why I asked the question .

Transformation code tools:

• J2Objc (Google edition): http://code.google.com/p/j2objc/ √

Dear All,

Trust you're fine. Please help with this issue I've been struggling with:

When trying to connect to an HTTPS whose certificate was issued by Verisign using Webscarab as proxy the browser crashes, which I rightly assumed it's due to certificate problem. So, I instructed Webscarab proxy listener to use that particular link as base url on port 443. This solved the problem partially, as the browser no longer crashes but, does not display the https page,just blank.

I googled on the subject but it wasn't that clear. So, if you've something to share please....

Thanks and Regards,

Victor

URL to plugin repository for onejar-maven-plugin changed to: http://onejar-maven-plugin.googlecode.com/svn/mavenrepo

The project can be found at https://code.google.com/p/onejar-maven-plugin/ now.

Recently I came to know about WebScarab and tried to installing it on my system running Win 8 . It ended up with an Application Error Dialogue Box which said Unable To Start Application.
When I checked For Details , it said
ExitException[ 3]com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://dawes.za.net/rogan/webscarab/$$codebase/$$name
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Please Help me Out...
Thanks In Advance :)

I have encountered a strange error with a public server (which is quite misconfigured). The most important misconfiguration that affects Webscarab is that it provides a root certificate that uses MD2withRSA. This algorithm is rejected by Java because of its weakness, but that also breaks the connection setup.

When using the default trusted root certificates (Firefox, Java with default trust store), the handshake completes. I have tracked down the issue to org/owasp/webscarab/httpclient/SSLContextManager.java. Changing it to use the default trust store allows Java to validate the certificate against an existing root cert, so the last cert can be skipped. This of course means that self-signed certs and other untrusted certs gets rejected by WS:

--- a/src/org/owasp/webscarab/httpclient/SSLContextManager.java
+++ b/src/org/owasp/webscarab/httpclient/SSLContextManager.java
@@ -50,7 +50,7 @@ public class SSLContextManager extends AbstractCertificateRepository {
        System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");
         try {
             _noClientCertContext = SSLContext.getInstance("SSL");
-            _noClientCertContext.init(null, _trustAllCerts, new SecureRandom());
+            _noClientCertContext.init(null, null, new SecureRandom());
         } catch (NoSuchAlgorithmException nsao) {
             _logger.severe("Could not get an instance of the SSL algorithm: " + nsao.getMessage());
         } catch (KeyManagementException kme) {

The error is:

13:01:57 Listener-0.0.0.0:8008-1(Proxy.generateSocketFactory): Generating custom SSL keystore for mobilog.ebay.com
13:02:05 Listener-0.0.0.0:8008-1(SSLContextManager.getSSLContext): Requested SSLContext for null
13:02:05 Listener-0.0.0.0:8008-1(ConnectionHandler.run): IOException retrieving the response for https://mobilog.ebay.com:443/ : javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at org.owasp.webscarab.model.Request.writeDirect(Request.java:233)
        at org.owasp.webscarab.model.Request.writeDirect(Request.java:214)
        at org.owasp.webscarab.httpclient.URLFetcher.fetchResponse(URLFetcher.java:242)
        at org.owasp.webscarab.plugin.openid.OpenIdHTTPClient.fetchResponse(OpenIdHTTPClient.java:60)
        at org.owasp.webscarab.plugin.saml.SamlHTTPClient.fetchResponse(SamlHTTPClient.java:98)
        at org.owasp.webscarab.plugin.proxy.CookieTracker$Plugin.fetchResponse(CookieTracker.java:130)
        at org.owasp.webscarab.plugin.proxy.BrowserCache$Plugin.fetchResponse(BrowserCache.java:101)
        at org.owasp.webscarab.plugin.proxy.RevealHidden$Plugin.fetchResponse(RevealHidden.java:100)
        at org.owasp.webscarab.plugin.proxy.BeanShell$Plugin.fetchResponse(BeanShell.java:229)
        at org.owasp.webscarab.plugin.proxy.ManualEdit$Plugin.fetchResponse(ManualEdit.java:243)
        at org.owasp.webscarab.plugin.proxy.ConnectionHandler.run(ConnectionHandler.java:223)
        at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:946)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:872)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:814)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
        ... 21 more

We were wondering if there were any plans to make WebScarab available as a Maven dependency any time soon. Thanks,

When using WebScarab proxy settings i get this error in my browser : Your connection is not secure
I guess its about the certification.
Which steps should I follow to proceed?