Thursday, April 4, 2013

HomeLab Headaches Ep.8

Oh Webgoat, you have tricked me once again.  Monday night I thought I had it all done since I got the login prompt and was able to login.  I called it a night at around 0030 and went to sleep.  Last night I was excited to start learning what Webgoat had instored to teach me.  I get started on the General section and I get down to useful tools and come across Webscarab.  I know it was one of the required tools for Webgoat and had it downloaded and I had even tried running it once to make sure it was working(to the extent of my knowledge it was).

I read something about a proxy, which is Webscarab and it has a intercept mode, which if I understand this correctly all the http traffic goes through Webscarab and I can analyze it and edit it and\or pass it through.

First problem was setting up the proxy, I was setting proxy as using port 1337.  Set Firefox to use proxy for http to the same and it would not allowed traffic through.  I played around with different settings and still couldn't get it to work or Webcarab to see the traffic either.  So I know it was something I was doing wrong with the proxy.  I kept going back to the OWASP page trying to find clues to what I am doing wrong.  The install for linux was simple just run

java -jar ./webscarab-selfcontained-[numbers].jar

Which to me just does look like an install, its just telling java to run this particular .jar file.  So I decided to look in the Windows installation instructions.  On there I got a clue as to what I was doing wrong, which was to proxy settings in Firefox.  I was setting the proxy to but it looks like I'm suppose to set it to localhost, but I set the port to 1337 which is the port I set on the Webscarab. DIDN'T WORK.  I looked at the Terminal window and I saw "Listenner something something: 8008".  I thought "Why is Webscarab listenning to port 8008.  If Webscarab is suppose to intercept my http traffic then I should send it to that port"

So I did, I set the Firefox proxy to localhost port 8008.  YAY! That worked for Webscarab to intercept the traffic, but when I hit accept changes to let the traffic through to the server it vomits some java errors at me.

I toyed with some of the settings and can't get the traffic to pass through to the Webgoat server.  Tonight I shall do some more Googling to see if I can figure this out.

The hardest part of all of this is that I'm doing all of this by myself.  I have no one but Google to depend on for help.  Which is cool because it just helps me figure things out on my own which I like because I learn more that way, but when I get frustrated and get lost trying to figure something out or I fix something or find a fix but don't know how it actually fixed or what it does it sucks because then I'm not really learning.  I wish I had someone that I could bounce ideas off of or ask how and why.  MEH! Nothing I can do but keep on going.

One thing I created myself was a .sh to run the java command above so I can start Webscarab easier.  It was nothing special at all, all I did was put that command in the text editor and name it  To me I got excited because I've only created simple .bat scripts at work so for me to create something like this, in linux, on my own just by thinking about it and trying and it actually working on the first try, was pretty cool.  I didn't even know if it was going to work and if the correct file type that I had to save was .sh but I tried it anyways and BAM it worked. YAY!!!!

No comments:

Post a Comment