WebScarab - a Web Application Review tool for Java


WebScarab is a Web Application Review tool. It sprang from the designs of the people inhabiting the WebAppSec list run from SourceForge, for a powerful, free, open tool for reviewing web applications for security vulnerabilities. Not much of the original design has actually been implemented as envisioned. WebScarab started as a spider that could download all the pages on a site. It stayed that way for almost a year, before I decided to take lessons learned during the development of Exodus and implement them as part of WebScarab.

Almost nothing of the original WebScarab remains in the current code base. Although the spider code that WebSphinx/WebScarab was based on was mature and well-tested, it did not fit in with my view of how such a tool should operate. Rather than rip out 99% of WebSphinx, I chose to implement a trivial spider in its place. The original WebScarab/WebSphinx spider code is still available from SourceForge, for anyone who is interested.

This page is not the official WebScarab page. It is just here to allow me some freedom to document my own design decisions, and make some interim code available. A quickstart guide is available here, and some user documentation is available here. This user documentation is the same as that available via the built-in javahelp, within WebScarab.

Source code

WebScarab source code was previously held in a CVS archive on SourceForge. I have decided to move development of WebScarab to a git archive, and host it here. You can access the gitweb tree here, or clone my repository with the following command:

git clone git://dawes.za.net/webscarab.git/


WebScarab is copyright Rogan Dawes 2002-2010, and is released under the GPL.