Offensive Thinking

Internet Thoughtcrime

MITM-Proxies: WebScarab(-NG)

Posted: 2009-06-02

When doing web application pentests, I’m using WebScarab as my preferred MITM proxy. And by preferred I mean “it’s not payware and works fairly well”. Web app pentesting happens quite a lot these days, as everyone and their dog are developing their applications for the browser. Which makes sense if you want to have something platform-independent and of course they all want their apps accessible from the Internet, so their employees can work from remote.

As WebScarab works ok, I wanted to see what WebScarab-NG can do for me. It’s supposed to be the next generation WebScarab, with a better GUI etc. The WebScarab-NG web pages tell you that there’s only a Java WebStart version available, otherwise you have to build it yourself. I couldn’t run it with JavaWS though, due to the fact that WebScarab-NG doesn’t work with Java 1.6 (some signing issue) and Java 1.5 doesn’t have an x86_64 version of JavaWS. Bummer. So I checked out the git repo. To my surprise, the last commit was from Nov. 2008. When I tried to compile it (it uses Maven, it couldn’t download many of the libraries it needed.

To cut a long story short: I contacted Rogan Dawes, WebScarab(-NG)‘s maintainer. He told me he’s not developing it anymore and doesn’t plan on continuing with it, due to various design decisions which turned out to be bad in the long run.

But, there’s light at the end of the tunnel: He at least pointed me to another of his projects, the OWASP Proxy. It’s a Java library for building your own MITM proxy (or whatever else you want to build with it, of course). It gives you a library for building your own proxy, and an HTTP library which does not bail on you if the data you send or receive is not RFC compliant. Which is exactly what you want when pentesting web apps, I “want” to send broken stuff to the app and receive whatever it makes of it.

I’ve decided to check out OWASP proxy and play a little bit with it. I’ll use JRuby of course, to ease the pain of working with Java. If it turns out well, I may write my own MITM proxy. Or maybe I’ll write it anyway. Can’t always wait until someone else does it.