Watcher v1.5.8 - Web Security Testing Tool and Passive Vulnerability Scanner
Watcher is a runtime passive-analysis tool for HTTP-based Web
applications. Being passive means it won't damage production systems,
it's completely safe to use in Cloud computing, shared hosting, and
dedicated hosting environments. Watcher detects Web-application
security issues as well as operational configuration issues. Watcher
provides pen-testers hot-spot detection for vulnerabilities, developers
quick sanity checks, and auditors PCI compliance auditing. It looks for
issues related to mashups, user-controlled
payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash,
Silverlight, referrer leaks, information disclosure, Unicode, and more.
Major Features:
- Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
- Works seamlessly with complex Web 2.0 applications while you drive the Web browser
- Non-intrusive, will not raise alarms or damage production sites
- Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
- Configurable domains with wildcard support
- Extensible framework for adding new checks
Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at
www.fiddlertool.com. Fiddler provides all of the rich functionality
of a good Web/HTTP proxy. With Fiddler you can capture all HTTP traffic,
intercept and modify, replay requests, and much much more. Fiddler
provides the HTTP proxy framework for Watcher
to work in, allowing for seamless integration with today’s complex Web
2.0 or Rich Internet Applications. Watcher runs silently in the
background while you drive your browser and interact with the
Web-application.
Watcher is built in C# as a small framework with 30+ checks already
included. It's built so that new checks can be easily created to perform
custom audits specific to your organizational policies, or to perform
more general-purpose security assessments.
Examples of the types of issues Watcher will currently identify:
- ASP.NET VIEWSTATE insecure configurations
- JavaServer MyFaces ViewState without cryptographic protections
- Cross-domain stylesheet and javascript references
- User-controllable cross-domain references
- User-controllable attribute values such as href, form action, etc.
- User-controllable javascript events (e.g. onclick)
- Cross-domain form POSTs
- Insecure cookies which don't set the HTTPOnly or secure flags
- Open redirects which can be abused by spammers and phishers
- Insecure Flash object parameters useful for cross-site scripting
- Insecure Flash crossdomain.xml
- Insecure Silverlight clientaccesspolicy.xml
- Charset declarations which could introduce vulnerability (non-UTF-8)
- User-controllable charset declarations
- Dangerous context-switching between HTTP and HTTPS
- Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
- Potential HTTP referer leaks of sensitive user-information
- Potential information leaks in URL parameters
- Source code comments worth a closer look
- Insecure authentication protocols like Digest and Basic
- SSL certificate validation errors
- SSL insecure protocol issues (allowing SSL v2)
- Unicode issues with invalid byte streams
- Sharepoint insecurity checks
- more….
Reducing false positives is a high priority, suggestions are welcome.
Right now each check takes steps to reduce false positives, some better
than others, and checks can be individually disabled if they’re
generating too much noise.
Release Notes
Watcher.zip contains the two DLL's for
manual installation of the plugin - drop them in your Fiddler2\Scripts
user or program files folder.
WatcherSetup.exe is an installer built
with NSIS that will copy the two DLL's into either your Fiddler2\Scripts
user or program files folder.
WatcherTFS.zip contains the Team
Foundation Server (TFS) component which Watcher uses to export results
to TFS. Installation and further instructions are included in the ZIP
file.
Program Watcher Passive Web Security Tool for Fiddler
Version 1.5.8
Release 25-June-2013
License Custom Open Source
Authors Chris Weber
Testers Chris Weber
Contact [email protected]
Website http://websecuritytool.codeplex.com/
Company http://www.casaba.com/
Copyright (c) 2010 - 2013 Casaba Security, LLC. All Rights Reserved.
{"
+++ major new feature
+ minor new feature
* changed feature
% improved performance or quality
! fixed minor bug
!!! fixed major bug
v1.5.8 2013-06-25
! Fixed bug in SSL certificate validation
Watcher v1.5.8 - Web Security Testing Tool and Passive Vulnerability Scanner
Reviewed by Zion3R
on
11:57 AM
Rating: