Thursday, July 16, 2009

WebScarab - BeanShell to Disable IE8 XSS

Using WebScarab for security testing? Here's how to disable the IE8 XSS filter. This is a good move since the IE8 filter is filled with so many false positives that its impossible to perform a fair test unless this feature is turned off.

Add the following to WebScarab's BeanShell. This can be found under Proxy->Bean Shell. Make sure the enable box is checked and hit commit.

/* Please read the JavaDoc and/or the source to understand what methods are available */
/* Template provided by */

import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
import org.owasp.webscarab.httpclient.HTTPClient;

public Response fetchResponse(HTTPClient nextPlugin, Request request) throws IOException {

//=====Make changes to the requests=========
//=====Remember: These changes will be applied to all requests while the bean is enabled. ============

//Send the request and fetch the response - this is required for requests to work
Response response = nextPlugin.fetchResponse(request);

//=====Make changes to the response=========
//Modify the response to set the anti-xss header for IE8

return response;

-Michael Coates