WebScarab - a quick start guide

Prerequisites

This document assumes that you have downloaded the installer version of WebScarab, and have successfully run the installer. At this stage, you have probably just run WebScarab, are looking at the GUI, and are wondering what to do with it.

Reaching the target

Probably the most important things to do when setting up WebScarab is to make sure that it knows how to reach your target (i.e. the web server that you are trying to test). This may involve configuring an upstream proxy, if you are on a secured corporate network. Select Tools->Proxies to open the configuration dialog box.

If you are on a Windows platform, and you use Internet Explorer, probably the easiest way to get this set up is simply to copy the settings directly from IE. There should be a button "Get IE Settings", that will automatically read the IE settings, and load them into WebScarab for you.

If this button is not visible, and you are on a Windows platform, it suggests that your installation is broken somehow, and that the W32Wininet.dll file is not present in your installation directory.

WebScarab saves your proxy settings in a properties file, so you should only need to do this once.

Configuring your browser

The next most likely thing to do is make sure that your web browser is configured to route requests through WebScarab. This involves changing the proxy settings for your browser. By default, WebScarab is configured to listen on localhost, port 8008 for incoming connections. You should make sure that there are no exceptions configured, and that it does not bypass the proxy for local connections.

Exploring the target site

At this point, you can start browsing the web site that you are interested in. You should see a list of conversations appearing in the WebScarab Summary Panel , as well as a tree showing the structure of the website that you are browsing.

These conversations show you exactly what was transferred between the browser, and the server under test. However, you cannot modify any of this data. If you want to modify the request or response in transit, you need to look at the Proxy intercept features.

Intercepting and modifying conversations

Intercepting requests from the browser falls under the Proxy plugin. Select the Proxy button from the task bar, and then the "Manual Intercept" tab.

On this screen, you can choose whether to intercept requests and/or responses, using the check boxes. Once the checkbox has been selected, you can choose whether to intercept GET or POST requests (or both, by holding the Control-key when selecting). You can also use a Java regular expression to control which requests you intercept, but that is fairly advanced functionality, which we won't go into here!

Now go back to your browser, and follow a link, or submit a form that should be intercepted (according to what you have configured in WebScarab). You should see a new window appear containing the details of the request. You can modify the request as desired, changing the URL, parameters, adding or removing headers, etc. Again, depending on the content type, there may be more user-friendly views of the request, that you can use to simplify editing./

Once you have finished making your changes, you can select the "Accept Changes" button to send the modified request to the server. If you decide that you don't want to make any changes, you can select the "Cancel Changes" button to send the original request to the server.

A similar process would occur if you had intercepted a response from the server.

Replaying a request

If you want to resend a request that has already been sent, and possibly modify it before sending, you can use the "Manual Request" plugin.

In this plugin, you can select a previous request from the drop-down box, and it will be copied into the request portion of the screen. You can now edit it as desired, prior to sending the request to the server using the "Fetch Response" button. Alternatively, you can create a new request from scratch, if you choose.

One feature of WebScarab, that is enabled by default, is the automatic extraction of cookies from responses seen by the proxy plugin. These are stored in a shared cookie jar, and can be used by the "Manual Request", "Spider" and "Proxy" plugins. This can come in handy, if you wish to update cookies in a replayed request, and you don't want to have to enter the cookie manually. Instead, you can simply use the "Get Cookies" button. This will automatically add the appropriate cookies to the current request. If the request that you send results in a response that sets a cookie, you can choose to add that cookie to the shared cookies by selecting the "Update CookieJar" button.