Google Ratproxy
If you are responsible for developing or maintaining a website and haven’t checked out Ratproxy yet, you’re missing out. Before I start spouting off about just how cool and useful this tool is, I suppose I should first tell you what a proxy is. In a nutshell, a proxy is an application that runs local on your computer and intercepts requests and responses between your web browser and the web server. In almost all cases, the proxy has the ability to manipulate the conversation going on between the two. Things like modifying your cookies, changing POST and GET parameters, and finding hidden fields are made uber-easy with the assistance of a proxy.
I don’t claim to be an expert on proxies, but I have used several in the past including OWASP WebScarab and Paros. While both of these tools provide features as described above, Ratproxy takes a very different approach. You start up your proxy and tell the browser to pass requests through it. Simple enough. Then you just start surfing your website as though you were a regular user. In the background, Ratproxy is collecting all sort of useful information about the website. When you’re done surfing the site, you run the report which comes out as a nice web page full of useful information about the site. It’ll show you pages vulnerable to CSRF, XSS, and a host of other security vulnerabilities. It ranks then based on high, medium, and low impact and provides very good explanations of the issues it has found.
The Ratproxy tool has ports for Mac OS/X, Linux, and Cygwin (Windows). When I first tried to compile it in Cygwin, I had all sorts of error messages, but then I found this very help web page that told me exactly what libraries Cygwin was missing in order for me to compile it correctly. Part two of that article even goes on to tell you how to begin using Ratproxy.
To many, Web Application Security is a scary thing that takes a lot of time and effort to figure out how to do things right, but it doesn’t have to be. You also don’t have to pay an arm and a leg to do a decent security audit of your website. Start today by downloading Ratproxy and get a feel for how secure your site is without paying a dime.
July 23rd, 2008 at 2:21 am
Thanks for posting about Ratproxy. It seems like it could be a useful tool, especially if you’re managing a network and trying to figure out the vulnerabilities of your users.
For a single user though, it seems to me like a simple browser-side extension could work just as well. Firebug probably has the capability of doing this, although the plugins I’ve seen are generally geared for web development. It would at least save you the trouble of running a proxy and reconfiguring your browser to use it.
July 24th, 2008 at 4:07 pm
I think the deal with ratproxy is it’s good for less advanced users. You just set up a proxy and browse and then it gives you lovely reports on what’s wrong. If you “know what you’re doing” you can use WebScarab or any number of other tools, but unfortunately the number of developers that “know what they’re doing” in a security sense is low.
July 27th, 2008 at 11:41 am
Good point, Victor. There are actually some very good Firefox plugins that you can use to test the security of your web applications. These includes “Add N Edit Cookies” (to modify your cookie info), HackBar (HTML encoding, XSS, SQL Injection), Tamper Data (modify POST parameters), and Live HTTP Headers (view HTTP headers). As Ernest said, the problem with these tools is that while they allow you to test web application security, the user using them has to actually know what they are doing. If you don’t know what you are looking for, then a proxy tool like RatProxy helps to fill in those knowledge gaps.
May 11th, 2009 at 12:22 am
Can I quote you in my report for school?
May 11th, 2009 at 4:32 pm
Sure, feel free to quote me in your report for school and please let me know if you have any questions.