[geeklog-devel] Fwd: [tool] ratproxy - passive web application security assessment tool
Dirk Haun
dirk at haun-online.de
Wed Jul 2 13:38:09 EDT 2008
May be worth a look:
---------------- Anfang Weiterleitung ----------------
Betreff: [tool] ratproxy - passive web application security assessment tool
Gesendet: Mittwoch, 2. Juli 2008 2:02 Uhr
Von: Michal Zalewski <lcamtuf at dione.cc>
An: bugtraq at securityfocus.com
, websecurity at webappsec.org
Kopie: full-disclosure at lists.grok.org.uk
Hi all,
I am happy to announce that we've just open sourced ratproxy - a free,
passive web security assessment tool. This utility is designed to
transparently analyze legitimate, browser-driven interactions with tested
web applications - and automatically pinpoint, annotate, and prioritize
potential flaws or areas of concern on the fly.
The proxy analyzes problems such as cross-site script inclusion threats,
insufficient cross-site request forgery defenses, caching issues,
potentially unsafe cross-domain code inclusion schemes and information
leakage scenarios, and much more.
For a detailed discussion of the utility, please visit:
http://code.google.com/p/ratproxy/wiki/RatproxyDoc
Source code is available at:
http://code.google.com/p/ratproxy/downloads/list
And finally, screenshot of a sample report can be found here:
http://lcamtuf.coredump.cx/ratproxy-screen.png
The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since
it is in beta, there might be some kinks to be ironed out, and not all web
technologies might be properly accounted for. Feedback is appreciated.
Please keep in mind that the proxy is meant to highlight interesting
patterns in web applications; a further analysis by a security
professional is required to interpret the significance of results for a
particular platform.
Cheers,
/mz
----------------- Ende Weiterleitung -----------------
More information about the geeklog-devel
mailing list