Friday, December 5, 2008

WebScarab Search Plugin Examples

Thought I'd share some of my favorite Search strings for webscarab.

If you've tried to use the search plugin before you may have scratched you head a bit in confusion. I certainly did for awhile. That's not because it doesn't work, its just because it doesn't work in the way we think of search (ie google style). However, once you learn how to use it, it is incredibly powerful.

For the record, most of these search strings I found posted in mailing lists (several from Rogan himself). I thought I'dd add the few I created and post them all together for all to enjoy.

Catch cookies not using secure flag when connection is over https
request.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf("secure") == -1
Similarly, find cookies using the secure flag when connection is over https
httpsrequest.getURL().toString().startsWith("https://") && response.getHeader("Set-Cookie").indexOf("secure") > -1
Detect if the session ID is exposed from URL rewriting
request.getURL().toString().indexOf("jsessionid") != -1
Look for the password (or any other string) within in a response
new String(response.getContent()).indexOf("the_password") > -1
Filter out just the POST messages

And if you are having trouble with the Search gui for some reason, here's the steps broken down:
  1. Add a title for your search in the description box
  2. Add one of the above search strings to the search expression box
  3. Hit Add
  4. Capture some traffic & do some things
  5. To view the results, select the title within the box located below the add/delete/reload button

-Michael Coates