Ratproxy, a passive audit tool for your web services
Filed in archive Securing by Rom Feria on July 12, 2008
Ratproxy is described as a " semi-automated, largely passive web application security assessment
tool", by Google. This tool was released by Google to help developers and system administrators monitor their web traffic without taxing the system too much.Ratproxy prides itself with having the following advantages over other available solutions:
This is something that is worth looking at, specially since the tool is free.
[Image from Ratproxy site]
1. No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.
2. Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner - yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.
3. Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.
4. WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.
5. Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.
This is something that is worth looking at, specially since the tool is free.
[Image from Ratproxy site]
Permalink: Ratproxy, a passive audit tool for your web services
Tags:
ratproxy audit tool web linux audit+tool ratproxy+passive passive+audit
Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/128724
