Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/13/2009
04:41 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

New Web Vulnerability Tool Is Passive But Aggressive

Every couple of weeks, a project comes across my desk that requires some sort of Web application vulnerability assessment or penetration test. It's one of the more fun things I get to do, and I rely on a quite a few different tools during each engagement. While most people relatively unfamiliar with Web app security think of active scanning apps such as Cenzic and WebInspect when they think Web app testing, quite a few of the tools I use fall into the passive analysis category.

Every couple of weeks, a project comes across my desk that requires some sort of Web application vulnerability assessment or penetration test. It's one of the more fun things I get to do, and I rely on a quite a few different tools during each engagement. While most people relatively unfamiliar with Web app security think of active scanning apps such as Cenzic and WebInspect when they think Web app testing, quite a few of the tools I use fall into the passive analysis category.Each of the of the passive tools I use has the capability to actively modify things like the HTTP request and response, but their default behavior is to record and/or analyze the pages visited by my Web browser. Some of my favorites include Burp Suite, Paros Proxy and RatProxy, but I just started testing a new one called Watcher that shows some promise. Watcher is not a stand-alone tool, but an add-on that adds functionality to the Fiddler HTTP Proxy and Debugger.

So what's so cool about Watcher? Well, the first thing to mention is not necessarily in the "cool"-factor, but for those of you who only use Windows, you can be happy that Watcher it's not another Linux-based tool you can't use. For the rest of us, we will either run it in a Windows VM or stick with our Linux and Mac tools.

On the serious side, what I really like about tools including Watcher and RatProxy is that you just browse the target Website and they do all the work in the background. You don't put in a URL and click Scan. You don't have to warn the admins that there might be a flurry of e-mails generated by forms on the site. All you do is fire up the tool and browse the Website, which is already one of the first steps of a web app pen-test. After doing the initial recon and getting familiar with the target, you can go back and review the logs for some of the low-hanging fruit.

Some of the things it checks for include SSL certificate and protocol issues, possible information leakage in URL parameters, open redirects, cross domain POSTs, and much more. There is even experimental support for Microsoft SharePoint insecurities--a Web app that doesn't receive enough attention, in my opinion.

Word of caution: there will be false positives and false negatives. Every Web app vulnerability testing tool I've ever used has had them, which is why I rely on multiple tools and manual testing with just a browser and a man-in-the-middle proxy like Burp Proxy and TamperData.

Take Watcher for a spin and let me know what you think. Do you see it replacing any current tool you use or a supplement to your current toolset?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.