Watcher was designed to be a runtime passive-analysis tool for HTTP-based Web applications. It detects Web-application security issues as well as operational configuration issues.
Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more. Watcher is built as a plugin for the Fiddler HTTP debugging proxy.
Watcher is built in C# as a small framework with 30+ checks already included. It's built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments.
Examples of the types of issues Watcher will currently identify:
- Cross-domain stylesheet and javascript references
- User-controllable cross-domain references
- User-controllable attribute values such as href, form action, etc.
- User-controllable javascript events (e.g. onclick)
- Cross-domain form POSTs
- Insecure cookies which don't set the HTTPOnly or secure flags
- Open redirects which can be abused by spammers and phishers
- Insecure Flash object parameters useful for cross-site scripting
- Insecure Flash crossdomain.xml
- Insecure Silverlight clientaccesspolicy.xml
- Charset declarations which could introduce vulnerability (non-UTF-8)
- User-controllable charset declarations
- Dangerous context-switching between HTTP and HTTPS
- Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
- Potential HTTP referer leaks of sensitive user-information
- Potential information leaks in URL parameters
- Source code comments worth a closer look
- Insecure authentication protocols like Digest and Basic
- SSL certificate validation errors
- SSL insecure protocol issues (allowing SSL v2)
- Unicode issues with invalid byte streams
- Sharepoint insecurity checks
Here are some key features of "Watcher":
· Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS
· Works seamlessly with complex Web 2.0 applications while you drive the Web browser
· Non-intrusive, will not raise alarms or damage production sites
· Real-time analysis and reporting - findings are reported as they’re found, exportable to XML
· Configurable domains with wildcard support
· Extensible framework for adding new checks
Requirements:
· Fiddler
What's New in This Release: [ read full changelog ]
· Added AutoScroll to the results ListView.
· Added descriptions to each check.
· Added credit card and SSN detection to information disclosure checks.
· Added ability to configure cookie checks to ignore or look for specific cookies.
· New check to detect user-controlled javascript events.
· New check to detect charset mismatches.
· New (EXPERIMENTAL) check to detect insecure SharePoint Document Library.
· Implemented lazy-load in Fiddler (plugin doesn't start until tab is clicked).
· Some false positive reduction applied to cookie and user-controlled checks.
· Removed dependency on .Net Framework 3.5.
· Fixed false negatives in Information disclosure checks.
· Fixed false positive in User Controlled Cookie check.
· Fixed User-Controlled Charset check to look at XML files.
· Fixed bug that prevented the cookie filters from working as expected.
Find us on Google+
