lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0807012124130.17434@dione.cc>
Date: Wed, 2 Jul 2008 02:02:02 +0200 (CEST)
From: Michal Zalewski <lcamtuf@...ne.cc>
To: bugtraq@...urityfocus.com, websecurity@...appsec.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: [tool] ratproxy - passive web application
	security assessment tool

Hi all,

I am happy to announce that we've just open sourced ratproxy - a free, 
passive web security assessment tool. This utility is designed to 
transparently analyze legitimate, browser-driven interactions with tested 
web applications - and automatically pinpoint, annotate, and prioritize 
potential flaws or areas of concern on the fly.

The proxy analyzes problems such as cross-site script inclusion threats, 
insufficient cross-site request forgery defenses, caching issues, 
potentially unsafe cross-domain code inclusion schemes and information 
leakage scenarios, and much more.

For a detailed discussion of the utility, please visit:
   http://code.google.com/p/ratproxy/wiki/RatproxyDoc

Source code is available at:
   http://code.google.com/p/ratproxy/downloads/list

And finally, screenshot of a sample report can be found here:
   http://lcamtuf.coredump.cx/ratproxy-screen.png

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since 
it is in beta, there might be some kinks to be ironed out, and not all web 
technologies might be properly accounted for. Feedback is appreciated.

Please keep in mind that the proxy is meant to highlight interesting 
patterns in web applications; a further analysis by a security 
professional is required to interpret the significance of results for a 
particular platform.

Cheers,
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ