WebApp Sec mailing list archives
Handling of arbitrary content in analysis tools (WebScarab) Was R E: SOAP protocol analyzer
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 13 Oct 2003 10:19:42 +0200
Unfortunately I do not know of a tool that allows intercepting and analysing SOAP packets. However, I AM interested in including support for fairly arbitrary content in WebScarab. I would like ideas on how best to implement this, though, since I am not an experienced Java programmer. For example, a client of mine is sending twofish encrypted serialised objects across an HTTP connection, and I would like to be able to support intercepting, interpreting, modifying, and releasing content of this nature. Obviously, it is also important to be able to report on (summarise?) what has been seen and what has been sent. Does anyone have any suggestions on how to handle fairly arbitrary data formats in a clean extensible way in Java? Complications that I am seeing (over and above what WebScarab does currently) are: * arbitrary data formats, such as the twofish encrypted objects mentioned above, XML (SOAP?) and whatever else developers come up with. * Multi-part content, which could have "variable=value" pairs, as well as instances of the arbitrary formats mentioned above. Scenarios where it would be used/needed: * WebScarab intercepts a request or response, and allows the operator to modify it * WebScarab records the conversation, and the operator wants to review it. * The operator wishes to create such a request manually * WebScarab wants to supply "known bad" data (fuzz) to see how the web application responds. I am leaning towards the following approach: Have a operator-configurable list of "ContentParsers", which are essentially java classes that implement the ContentParser interface, mainly the following method: Object parseContent(byte[] content) throws ParseException; The operator would be able to select from the list of parsers, and ask it to parse the message body (entity-body, content, whatever ;-) to an object. If it succeeds (does not throw an Exception), the Object could be passed to an appropriate editor. Example parsers would be: org.owasp.webscarab.parser.MultiPartFormDataParser returning a MultiPartFormData object org.owasp.webscarab.parser.WWWFormUrlEncodedParser returning a WWWFormURLEncoded object for the two default FORM submission methods (application/x-www-form-urlencoded and multipart/form-data). But it would be entirely possible for someone to put a class such as za.org.dragon.exodus.parser.TwoFishSerialisedObjectParser returning Object in the list, (and the CLASSPATH) and have that appear as an option in a ComboBox, or whatever. The operator could then ask WebScarab to attempt to parse the content using that particular parser, and return an Object of an appropriate type. Once we have an Object representation of the content, we can look at an operator-configurable list of ObjectEditors (analogous to javax.swing.CellEditor) which would allow us to visualise(?) and modify the Object. The tool could use reflection to identify the Object's class hierarchy and any interfaces that the Object implements, and then identify the Editors that are able to edit objects of that type. An illustration might be the MultiPartFormDataEditor that shows the list of parts, allowing the operator to modify, insert or delete parts. The MultiPartFormDataEditor would then use Class-specific editors for each part, such as a FilePartEditor (load a different file), NameValuePairEditor, javaUtilVectorEditor, etc. Does this seem like a reasonable way of doing things? Rogan
-----Original Message----- From: Olivier G. Gaumond [mailto:olig () monimap com] Sent: 10 October 2003 03:21 AM To: webappsec () securityfocus com Subject: SOAP protocol analyzer Do someone know a tool who can dissect web services protocols like SOAP. What I am looking for is a tool that decomposes the traffic sniffed on the network. I want to know which method was called, the parameters, etc. Like Ethereal does with many other protocols. The tool can also be proxy based and if it can analyze .NET Remoting also it would be a bonus. Thanks. Olivier --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.516 / Virus Database: 313 - Release Date: 2003-09-01
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- Handling of arbitrary content in analysis tools (WebScarab) Was R E: SOAP protocol analyzer Dawes, Rogan (ZA - Johannesburg) (Oct 13)
- Re: Handling of arbitrary content in analysis tools (WebScarab) Was RE: SOAP protocol analyzer Jeff Williams @ Aspect (Oct 16)