Making OWASP WSFuzzer module
From OWASP Live CD 2008
Contents |
Get the Source for OWASP WSFuzzer
Go to the OWASP WSFuzzer website and look for the link to the Sourceforge downloads. In the downloads section, grab the latest .tar.gz version which is wsfuzzer-1.9.3.tar.gz at the time of this writing.
Go ahead and extract the download into the working/temp directory:
$ cp /home/mtesauro/owasp-live-cd/tools-in-SoC-release/wsfuzzer-1.9.3.tar.gz temp/ $ cd temp/ $ tar -xjvf wsfuzzer.tar.gz $ cd ../../
Create the needed directories in fakeroot
Eventually, we'll use dir2lzm to make the module, so lets get the directories created that we need:
$ mkdir -p ./fakeroot/opt/owasp/ $ mkdir -p ./fakeroot/usr/bin $ mkdir -p ./fakeroot/usr/share/aplications $ mkdir -p ./fakeroot/usr/share/pixmaps
Create and put the module's files into the fakeroot directory
Since we are getting Python source, lets get the application files where they needs to go.
$ mv temp/version1.9.3/ fakeroot/opt/owasp/ $ mv fakeroot/opt/owasp/version1.9.3 fakeroot/opt/owasp/wsfuzzer
Next, well need a script to start WSFuzzer in fakeroot/usr/bin. This one is pretty easy:
$ vi fakeroot/usr/bin/wsfuzzer [create script] $ cat fakeroot/usr/bin/wsfuzzer #!/bin/sh cd /opt/owasp/wsfuzzer/ PYTHONPATH=/opt/owasp/wsfuzzer python WSFuzzer.py "$@"
Because WSFuzzer is a command line tool, we're going to create a startup script to be used by the menu item below.
$ vi fakeroot/usr/bin/startup-wsfuzzer [create script] $ cat fakeroot/usr/bin/startup-wsfuzzer #/bin/sh echo " " echo " " echo " OWASP WSFuzzer - Web Services Testing" echo " (part of the OWASP Live CD 2008)" echo " " echo " Type 'wsfuzzer' to get updates and help" echo ""
Creating WSFuzzer's menu file is a bit more complex since it opens in a terminal. Use a text editor and create the file wsfuzzer.desktop
$ vi fakeroot/usr/share/applications/wsfuzzer.desktop [create the file] $ cat fakeroot/usr/share/applications/wsfuzzer.desktop [Desktop Entry] Categories=Application;Network; Comment= Encoding=UTF-8 Exec[$e]=startup-wsfuzzer; bash GenericName=WSFuzzer Icon=/usr/share/pixmaps/wsfuzzer-icon.png MimeType=text/html Name=Web Services Testing Tool Path[$e]= StartupNotify=false Terminal=1 TerminalOptions=-T "WSFuzzer - Web Services Testing" Type=Application X-KDE-StartupNotify=true X-KDE-SubstituteUID=false X-KDE-Username=
For the icon, there were no images in the source download. Also, since this is a text based application, there's nothing to screen capture. I defaulted to an OWASP icon I have since its an OWASP tool. I then moved that into fakeroot.
$ cp temp/owasp-icon.png fakeroot/usr/share/pixmaps/wsfuzzer-icon.png
WSFuzzer requires Python. I've already "created" a Python module. I document how I did that in Making the Python module.
Unfortunately, there was an additional dependency of the fpconst Python module. The modules wasn't part of the SLAX Python module and was a bit tricky to find as the original site is no more. Luckily its hosted on a python.org site as well. Download the latest tar.gz which was fpconst-0.7.2.tar.gz at the time of this writing. Extract it into working/temp and move the necessary bit into fakeroot:
$ cp /home/mtesauro/owasp-live-cd/tools-in-SoC-release/fpconst-0.7.2.tar.gz temp/ $ cd temp/ $ tar -xzvf fpconst-0.7.2.tar.gz $ cd ../ $ cp temp/fpconst-0.7.2/fpconst.py fakeroot/opt/owasp/wsfuzzer/
As of wsfuzzer 1.9.4, you also need PyXML installed. The best method to get that done is to download the SourceForge site. I like to build these things inside the Live CD to ensure there aren't any missing dependencies. After you download the tarball, extract and build the module:
# mkdir working
# mv PyXML-0.8.4.tar.gz working
# cd working
# tar -xzvf PyXML-0.8.4.tar.gz
# find / > pre-pyxml
# cd PyXML-0.8.4
# python setup.py install
[bunch of output]
# find / > post-pyxml
# cd ..
# diff pre-pyxml post-pyxml > pyxml-install-temp
# cat pyxml-install-temp | grep changes | grep -v working > pyxml-install
# vi pyxml-install
[remove any cruft]
What you should be left with is a script to move the files installed to a temporary directory such as:
mkdir -p /root/temper/usr/bin/ cp -a /usr/bin/xmlproc_parse /root/temper/usr/bin cp -a /usr/bin/xmlproc_val /root/temper/usr/bin mkdir -p /root/temper/usr/lib/python2.5/site-packages/ cp -a /usr/lib/python2.5/site-packages/PyXML-0.8.4-py2.5.egg-info /root/temper/usr/lib/python2.5/site-packages/ cp -a /usr/lib/python2.5/site-packages/_xmlplus /root/temper/usr/lib/python2.5/site-packages/
Now just make that executable, run it and move the directory off the OWASP Live CD to wherever you are creating the module:
# chmod u+x pyxml-install # ./pyxml-install # scp /root/temper mtesauro@[your IP here]/home/mtesauro/projects/temp/
Add those files into fakeroot and you are good to go.
$ mv temp/temper/usr/bin/xmlproc_* fakeroot/usr/bin/ $ mv temp/temper/usr/lib fakeroot/usr/
You'll also need to edit fakeroot/opt/owasp/wsfuzzer/parseWsdl.sh and correct the JAVA_HOME variable to the correct path which is /usr/lib/java:
$ head -n3 fakeroot/opt/owasp/wsfuzzer/parseWsdl.sh # Change next line to reflect your env Java 1.6 JAVA_HOME="/usr/lib/java" #different classpath per OS
Everything is in place to create the modules, a quick final check:
find fakeroot fakeroot/ fakeroot/opt fakeroot/opt/owasp fakeroot/opt/owasp/wsfuzzer ...
Generate the .lzm module
This is the easy part.
$ ./dir2lzm ./fakeroot wsfuzzer-1.9.3.lzm
Add the modules to the ISO build directory
Also cake
$ cp -i wsfuzzer-1.9.3.lzm ../contents/slax/base/ $ chmod 775 ../contents/slax/base/wsfuzzer-1.9.3.lzm
Test the new module
I like scp'ing the new modules into a running Live CD and using the Module Manager to Add modules to a running system. I typically have the Live CD running in a VM while I create modules so its already up and ready.
You can also gen a new ISO and run it in a VM of your choice.
$ cd ../contents/slax/ $ ./make_iso.sh /home/mtesauro/isos/new-owasp.iso
If anything doesn't work as expected, make the changes needed to ./fakeroot and try again.
Clean up and archive
Once you've got a working module, lets clean up a bit.
$ $ mkdir ./completed_modules/wsfuzzer $ mv wsfuzzer-1.9.3.lzm ./completed_modules/wsfuzzer/ $ mv temp/wsfuzzer-1.9.3.tar.gz ./completed_modules/wsfuzzer/ $ mv temp/fpconst-0.7.2.tar.gz completed_modules/wsfuzzer/ $ rm -rf ./temp/*
I usually delete anything under ./fakeroot also.
$ rm -rf ./fakeroot/*
