New Web Vulnerability Tool Is Passive But Aggressive

Every couple of weeks, a project comes across my desk that requires some sort of Web application vulnerability assessment or penetration test. It's one of the more fun things I get to do, and I rely on a quite a few different tools during each engagement. While most people relatively unfamiliar with Web app security think of active scanning apps such as Cenzic and WebInspect when they think Web app testing, quite a few of the tools I use fall into the passive analysis category.Each of the of the passive tools I use has the capability to actively modify things like the HTTP request and response, but their default behavior is to record and/or analyze the pages visited by my Web browser. Some of my favorites include Burp Suite, Paros Proxy and RatProxy, but I just started testing a new one called Watcher that shows some promise. Watcher is not a stand-alone tool, but an add-on that adds functionality to the Fiddler HTTP Proxy and Debugger.

So what's so cool about Watcher? Well, the first thing to mention is not necessarily in the "cool"-factor, but for those of you who only use Windows, you can be happy that Watcher it's not another Linux-based tool you can't use. For the rest of us, we will either run it in a Windows VM or stick with our Linux and Mac tools.

On the serious side, what I really like about tools including Watcher and RatProxy is that you just browse the target Website and they do all the work in the background. You don't put in a URL and click Scan. You don't have to warn the admins that there might be a flurry of e-mails generated by forms on the site. All you do is fire up the tool and browse the Website, which is already one of the first steps of a web app pen-test. After doing the initial recon and getting familiar with the target, you can go back and review the logs for some of the low-hanging fruit.

Some of the things it checks for include SSL certificate and protocol issues, possible information leakage in URL parameters, open redirects, cross domain POSTs, and much more. There is even experimental support for Microsoft SharePoint insecurities--a Web app that doesn't receive enough attention, in my opinion.

Word of caution: there will be false positives and false negatives. Every Web app vulnerability testing tool I've ever used has had them, which is why I rely on multiple tools and manual testing with just a browser and a man-in-the-middle proxy like Burp Proxy and TamperData.

Take Watcher for a spin and let me know what you think. Do you see it replacing any current tool you use or a supplement to your current toolset?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.