Monday, November 02, 2009

Watcher: Spotting dubious webishness

November's toolsmith features Watcher, a great passive security auditor from Chris Weber of Casaba Security, that detects web application security issues as well as operational configuration concerns. Watcher plugs neatly into Fiddler, an indispensable proxy that should be an inherent part of your web application assessment tool kit.
The toolsmith article covers using Watcher to detect "dubious" comments, unset HTTPOnly flags, open redirects, and bad cross domain flash policy, so I won't repeat myself here.
Watcher is also excellent for detecting likely XSS vulnerabilities, and will passively detect prospective parameters while you browse.
As an example, a visit to a site that shall remain anonymous only to those without fundamental Google skills results in Figure 1, seen by Watcher as it passively reviews a site with 37 different checks.

Figure 1

Note that Watcher spots what it declares is a potentially high severity user controllable HTML element attribute. Watcher further indicates that the fourth input tag value attribute is specific to the keyword variable. A quick "active" test by the author quickly validates Watcher's assumptions as seen in Figure 2.

Figure 2

Passive security auditing indeed; no effort required!
Results are easily exported as well.
Browse a client site while enjoying a good sandwich and coffee, dump the results, and build your work list as a preliminary recon step for your next penetration testing engagement.
Enjoy this excellent tool; use it in good stead.
Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)


Anonymous said...

You might want to obscure the URL a little better next time, that page name is a googledork...


ekse said...

"As an example, a visit to a site that shall remain anonymous"

The page name is giving the website in a simple google search. I know you can't stop someone that would really want to find it but you should make it at least a little more difficult ;-)

Nice post btw.

Russ McRee said...

Nothing eludes you, dear readers. Yes, that was barely anonymized.
Please consider it minimalist CYA effort.
I updated the referring language accordingly.
Cheeky monkeys. ;-)

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...