Thursday, June 18, 2009

Watcher - Web Vulnerabilities Served Up Passively

I'm lazy, and getting lazier these days.

Therefore, it should be no shock that I love tools that don't require me to do much of anything to get great results. How about a Fiddler plug-in that simply watches me browse the site I want to target and stacks up potential vulnerabilities (or areas that require further exploration) in that site or application? Sound good to you?

A tool called Watcher fits right into that category when it comes to web application vulnerability detection. I stumbled upon this tool a while ago while looking through the web for browser-based web site security vulnerability detection (hacking) tools. Chris Weber of Casaba Security came up with the idea while researching browser-based, lightweight tools to complement his penetration testing strategy and other tools in his arsenal. Since he'd already been using Fidder (a plug-in testing assistance tool for Internet Explorer) he figured why not just write a plug-in to Fiddler and do passive site vulnerability analysis. Watcher is the result of that endeavor.

So here's why I think you should make Watcher part of your toolbox if you're doing web application/site secrity analysis or penetration testing....
  • Watcher enables vulnerability hotspot detection which gives you a better idea of where to target your efforts; essentially focusing on where JavaScript and user-controlled HTML are rampant
  • Watcher integrates nicely in Fiddler2 and provides additional functionality in a very low footprint
  • It's useful... and the new version 1.2 (coming very, very soon) has added checks for many things that should interest you as a tester including cookies, headers, user-controlled content space, SSL and other things
  • Has explicit checks for "dubious information disclosure"... which I think a lot of the commercial scanners don't do a good job of defining
  • It's simple and nearly effortless... now that's a feature everyone will love
  • You get results... and with very little effort you can help spot trouble spots in site that require your further testing skillZ
Will Watcher replace your current commercial or open-source web application vulnerability scanner? No, most definitely not. Is it the only tool you need... definitely not. Does it have a super-comprehensive library or checks... and does it never generate false-positives? Nope. So why try it? Simple ... because you have a finite amount of time to test a monstrosity of a site, and you have no idea where some of the lower-hanging fruit might lie... Watcher can help you figure that out while simply browsing the site.

As someone who lives in the web site vulnerability world... I now include this in my toolbox for when I'm looking at a large app with no idea where to start. I simply keep this tool running and just browse... Watcher does the rest.

Kudos to Chris over at Casaba, keep the releases and signature updates coming!

No comments: