Webpage:http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
The .jar install file can be found at the OWASP Sourceforge Page
Below is a list of tools we've found useful in solving the WebGoat lessons. You will need WebScarab or Paros to solve most of the lessons.
Like WebGoat, WebScarab is a part of OWASP.
WebScarab is a proxy for analyzing applications that
communicate using the HTTP and HTTPS protocols. Because WebScarab
operates as an intercepting proxy, we can review and modify requests
and responses.
Webpage:http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
The .jar install file can be found at the OWASP Sourceforge Page
After installing WebScarab and configuring your browser to use it as proxy on localhost we can start. If you are using localhost for your Tomcat server, remember to put a "." after the hostname when browsing to WebGoat.
We have to select "Intercept Request" in the tab "Intercept". If we send a HTTP request we get a new WebScarab window.
Here we can read and edit the intercepted parameter. After "Accept changes" the request will be sent to the server.
WebScarab is also used to intercept the request and change cookies values just like parameter data:
We get a new window on sending a HTTP request. On the screenshot you see where we can find cookies and how to edit their values.
Firebug is an add-on for the Firefox browser. We can use it to inspect, edit and monitor CSS, HTML and JavaScript.
Webpage:http://www.getfirebug.com
IEWatch is a tool to analyze HTTP and HTML for users of the Internet Explorer.
Webpage:http://www.iewatch.com
Wireshark is a network protocol analyzer. You can sniff network traffic and gather useful
informations this way.
Webpage:http://www.wireshark.org
There are many vulnerability scanners for your own web applications. They can find XSS, Injection Flaws and other vulnerabilities. Below are links to two open source scanner.
Nessus:http://www.nessus.org
Paros:http://www.parosproxy.org