Therefore, it should be no shock that I love tools that don't require me to do much of anything to get great results. How about a Fiddler plug-in that simply watches me browse the site I want to target and stacks up potential vulnerabilities (or areas that require further exploration) in that site or application? Sound good to you?
A tool called Watcher fits right into that category when it comes to web application vulnerability detection. I stumbled upon this tool a while ago while looking through the web for browser-based web site security vulnerability detection (hacking) tools. Chris Weber of Casaba Security came up with the idea while researching browser-based, lightweight tools to complement his penetration testing strategy and other tools in his arsenal. Since he'd already been using Fidder (a plug-in testing assistance tool for Internet Explorer) he figured why not just write a plug-in to Fiddler and do passive site vulnerability analysis. Watcher is the result of that endeavor.
So here's why I think you should make Watcher part of your toolbox if you're doing web application/site secrity analysis or penetration testing....
- Watcher integrates nicely in Fiddler2 and provides additional functionality in a very low footprint
- It's useful... and the new version 1.2 (coming very, very soon) has added checks for many things that should interest you as a tester including cookies, headers, user-controlled content space, SSL and other things
- Has explicit checks for "dubious information disclosure"... which I think a lot of the commercial scanners don't do a good job of defining
- It's simple and nearly effortless... now that's a feature everyone will love
- You get results... and with very little effort you can help spot trouble spots in site that require your further testing skillZ
As someone who lives in the web site vulnerability world... I now include this in my toolbox for when I'm looking at a large app with no idea where to start. I simply keep this tool running and just browse... Watcher does the rest.
Kudos to Chris over at Casaba, keep the releases and signature updates coming!