Watcher – Web Security Testing and Auditing!

March 24, 2009 19:00 pm · 0 comments

by Black

in Open Source,Penetration Testing,Security tools,Web Application Penetration Testing

A new passive Web Security Testing and Auditing Watcher v1.0.0 is released by Casaba Security.

Watcher a runtime passive-analysis tool for all HTTP-based Web applications on any web platform.

Watcher provides white hat pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads, cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Watcher can be good handy tool for white hat testers as it is a passive tool you can be easily detected.

Watcher

Dependency:

Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Watcher works seamlessly with today’s complex Web 2.0 applications by running silently in the background while you drive your browser and interact with the Web-application.

Watcher is built in C# as a small framework with 30+ checks already included. It’s built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments

Samples:

  • Cross-domain stylesheet and javascript references
  • User-controllable cross-domain references
  • User-controllable attribute values such as href, form action, etc.
  • User-controllable javascript events (e.g. onclick)
  • Cross-domain form POSTs
  • Insecure cookies which don’t set the HTTPOnly or secure flags
  • Open redirects which can be abused by spammers and phishers
  • Insecure Flash object parameters useful for cross-site scripting
  • Insecure Flash crossdomain.xml
  • Insecure Silverlight clientaccesspolicy.xml
  • Charset declarations which could introduce vulnerability (non-UTF-8)
  • User-controllable charset declarations
  • Dangerous context-switching between HTTP and HTTPS
  • Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
  • Potential HTTP referer leaks of sensitive user-information
  • Potential information leaks in URL parameters
  • Source code comments worth a closer look
  • Insecure authentication protocols like Digest and Basic
  • SSL certificate validation errors
  • SSL insecure protocol issues (allowing SSL v2)
  • Unicode issues with invalid byte streams

    • Try and test your own.

    Installation

    Install the Fiddler tool http://www.fiddlertool.com. Then either run the WatcherSetup.exe installer or open the .ZIP and copy the Watcher.dll and WatcherCheckLib.dll into Fiddler’s ‘scripts’ folder:

    On Windows XP flavors – Copy the dll’s to %userprofile%My DocumentsFiddler2Scripts
    On Windows Vista flavors – Copy the dll’s to %userprofile%DocumentsFiddler2Scripts

    Download Watcher here

    If you enjoyed this article, you might also like:

    Tagged as: ,

    Comments on this entry are closed.

    Previous post:

    Next post: