Hi all,
I am happy to announce that we've just open sourced ratproxy - a free, passive
web security assessment tool. This utility is designed to transparently analyze
legitimate, browser-driven interactions with tested web applications - and
automatically pinpoint, annotate, and prioritize potential flaws or areas of
concern on the fly.
The proxy analyzes problems such as cross-site script inclusion threats,
insufficient cross-site request forgery defenses, caching issues, potentially
unsafe cross-domain code inclusion schemes and information leakage scenarios,
and much more.
For a detailed discussion of the utility, please visit:
http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Source code is available at:
http://code.google.com/p/ratproxy/downloads/list
And finally, screenshot of a sample report can be found here:
http://lcamtuf.coredump.cx/ratproxy-screen.png
The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is
in beta, there might be some kinks to be ironed out, and not all web
technologies might be properly accounted for. Feedback is appreciated.
Please keep in mind that the proxy is meant to highlight interesting patterns
in web applications; a further analysis by a security professional is required
to interpret the significance of results for a particular platform.
Cheers,
/mz
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jul 02 2008
Intro
