Thursday, July 14, 2011

Intercepting HTTP request/response using WebScarab to hack Web Applications







Hello Friends.
Recently I am really busy with my interviews in different companies. But there is always a new thing that you can learn from everything. Though my tough time has not yet ended but still I took out time to write this post as there is somthing new that I learned while I was preparing for one of my interviews for MicroWorld that is amongst the leading companies in the field of Network Security.
The best thing I find about hacking is that you have the whole internet to practice so I was hitting my keyboard hard to practice my knowledge of intercepting HTTP request and response headers . I will explain you how the entire process works but the thing that disappoints me is that the security features in Indian websites is still very lame. Though there are websites who have really good security measures but there counting is limited .



So we will understand how we can intercept the HTTP request we send to a website and how we can analyse the response header.For this purpose we will use WebScarab which you can download from Here.

After you have installed the setup you will first have to set your browser so that WebScarab can intercept the request and response. 
I am taking the example of Firefox here. Go to options > Advanced > Network > Settings > Then select the Manual Proxy configuration and enter the following values.
HTTP proxy - 127.0.0.1 and port - 8008 
This sets the webscarab to intercept the request by acting as a localhost proxy .


Now you start your webScarab by clicking on the icon.
The screen will appear wired and somthing like as shown in the figure. Click on the figure to enlarge it .
In the intercept tab , select "Intercept request" and in the left hand side menu select "Get" and "Post" options . 
This makes your webScarab completely ready to intercept the HTTP Get and post requests .


Now in your browser type any url , for e.g , google.com and you will get a window that will show the intercepted HTTP Get request. Now if you click on the "Intercept Response" button then it will also intercept the response that is coming back to the browser from the google server.

You can use this technique to analyse the the various request and response headers and let me tell you this can be very very deadly . If you are able to make the right moves and changes in the Headers then you can easily modify the headers to send invalid valuse to the servers .
In the main window of the webScarab , the "Summary" tab shows you the details of all the intercepted requests and response.


This is a short tutorial on webScarab that will give you a basic understanding of how to use webscarab to intercept the HTTP values and analyse them > Rest is upto you how far you can take it . 
To see how far I went read my next blog post on "how to hack online shopping carts" . 
In case you have any difficulties using WebScarab then please comment here . I will try my best to solve it .


DARKLORD!!

7 comments:

  1. really informative..i was looking for a post on this topic....n all d best for ur interviews

    ReplyDelete
  2. loved it...so damn informative...web scarab seems realy intrstin....:)

    ReplyDelete
  3. @Vaisakhi : If you will use it then you will love it even more.

    ReplyDelete
  4. There is a similar tool, but used more often for web development troubleshooting rather than hacking. Its TCPMon:

    http://www.quicklyjava.com/intercept-post-data-using-tcpmon/

    ReplyDelete
  5. A very nice blog but how to intercept http on a android phone?

    ReplyDelete
  6. i read your post and its very interesting.. can i ask if you can make a hack on these secured website?? http://www.rankedgaming.com/shop/

    you can use this account

    username: skabern
    password: sgtskabern

    i would be happy if you can hack that website! thanks.. please pm me if you are successfull! i will bow down to you! ^^ thanks! email me if you want skabern@gmail.com

    ReplyDelete