Web Security


WebScarab uses Java, so if you don't have that, install that first. WebScarab is a bit old, but simpler and less confusing than more modern and advanced tools, such as OWASP Zap (free and open source) or Burpsuite (commercial, but with a free trial license). You can use these alternative tools too, if you want, or give them a try.

Installing WebScarab

To install WebScarab

Configuring your browser to use WebScarab as proxy

WebScarab listens to port 8008, so you have to configure your web browser to use port 8008 on localhost. To do this in Firefox, go to

   Options -> Advanced -> Network -> Settings/Instellingen

and select proxy localhost and port 8008, and press OK. An example network settings page in Firefox is shown below.

NB watch out that at the bottom of the Settings screen there are no entries under No proxy for. In particular, localhost, should not be mentioned here, otherwise WebScarab won't intercept the traffic to localhost, which includes the traffic to the Webgoat.

Using WebScarab

WebScarab has two user interfaces: the simple (lite) version and the fully-fledged one with all the features. In the Intercept/Proxy tab you can choose to intercept requests and/or responses. This means that you can view, edit and optionally discard an outgoing HTTP response to the server (after it has left your browser and before it reaches the server - in this case, the WebGoat server), or an incoming HTTP response sent by the server before it enters your browser.

If you choose to do intercept requests, a new WebScarab window will open for every HTTP request. In this window you can inspect the request (either in raw, unparsed, form or in a more readable, parsed format) and you can edit the request before passing it on, or you can abort the request (which means it is discarded).

More info about WebScarab is at the OWASP WebScarab site.