Intercepting requests with WebScarab
As previously mentioned, WebScarab is a very powerful tool. One of its many roles is to function as a proxy server. Recall that a proxy sits between the client (browser) and the server. While the proxy is running, all the web traffic flowing into and out of your browser is passed through the program. Passing traffic through a local proxy provides us with an amazing ability; by running WebScarab in this mode, we are able to stop, intercept and even change the data either before it arrives or after it leaves the browser. This is a subtle but important point; the use of a proxy allows us to make changes to data in transit. The ability to manipulate or view HTTP request or response information has serious security implications.
Consider the following: some poorly coded websites rely on the use of hidden fields to transmit information to and from the client. In these instances, the programmer makes use of a hidden field of the form, assuming that the user won’t be able to access it. Although this assumption is true for a normal user, anyone leveraging the power of a proxy server will have the ability to access and modify the hidden field.
The classic example of this scenario is the user who was shopping at an online golf store. After browsing the selection, he decided to buy a driver for $299. Being a security analyst, the astute shopper was running a proxy server and noticed that the website was using a hidden field to pass the value of the driver ($299) to the server when the “add to card” button was clicked. The shopper set up his proxy to intercept the HTTP POST request. This means that when the information was sent to the server, it was stopped at the proxy. The shopper now had the ability to change the value of the hidden field. After manually changing the value from $299 to $1, the request was made onto the server. The driver was added to his shopping cart with the new total due was $1.
Although this scenario is not as common as it used to be, it certainly demonstrates the power of using a proxy to intercept and inspect HTTP requests and responses.
To use WebScarab as an interceptor, you need to configure your browser to use a proxy as discussed in the Spidering section of this chapter. Once your browser is configured to use the proxy, you can start WebScarab by issuing in a terminal window:
You’ll need to restart WebScarab to use the “lite” version. Once WebScarab has finished loading, you’ll need to click on the “Intercepts tab”. Next, you should put a check box in both the “Intercept requests” and “Intercept responses” as shown in the following image.
You may want to leave the Intercept requests and Intercept responses unchecked until you are ready to test, as nearly every page involves these actions and intercepting everything before you are ready will make your browsing experience painfully slow.
With WebScarab set up as described, the proxy will stop nearly every transaction and allow you to inspect or change the data. Luckily, if you find yourself in this situation, WebScarab has included a “Cancel ALL Intercepts” button. This can be handy to keep moving forward.
To change the values of a given field, wait for WebScarab to intercept the request; then locate the variable you wish to change. At this point, you can simply enter a new value in the “value” field and click the “Insert” button to update the field with the new value.
Viewing HTTP response and requests can also be useful for discovering username and password information. Just remember, the value in many of these fields will be Base64 encoded. Although these values may look as though they are encrypted, you should understand that Base64 is a form of encoding, not encryption. Although these processes may sound similar, they are vastly different. Decoding Base64 is a trivial task that can be accomplished with little effort using a program or online tool.
It should be pointed out that there are many good proxy servers available to assist you with the task of data interception. Don’t be afraid to explore other proxy servers as well.