I never use Ratproxy any longer, relying on other tools, including Skipfish (from the same author).
Here is how, for posterity, one can run it on Windows…
1. Install cygwin (http://cygwin.com/install.html)
2. Down (http://code.google.com/p/ratproxy/) and Build (http://www.butterdev.com/web-security/2008/07/google-ratproxy-web-application-security-audit-tool/) Ratproxy
3. Run ($ ./ratproxy -v TEST -w report -d target.host -lfscmxt)
4. Configure browser proxy to port 8080, browse target.host
5. Ctrl-C when done
6. Run ($ ./ratproxy-report.sh report > NiceReport.html) to generate “NiceReport.html”
Here are the meanings of each flag
-X
Enables active testing. When this option is provided,
ratproxy will attempt to actively, disruptively validate the
robustness of XSS and XSRF defenses whenever such a check is
deemed necessary.
By the virtue of doing passive preselection, this does not
generate excessive traffic and maintains the same level of
coverage as afforded in passive mode.
The downside is that these additional requests may disrupt
the application or even trigger persistent problems; as such,
please exercise caution when using it against mission-critical
production systems.
-t
By default, ratproxy logs some of the most likely directory
traversal candidates. This option tells the proxy to log less
probable guesses, too. These are good leads for manual testing
or as input to an external application.
Generally recommended, unless it proves to be too noisy.
-f
With this option enabled, the proxy will log all Flash
applications encountered for further analysis. This is
particularly useful when combined with -v, in which case, Flash
files will be automatically disassembled and conveniently
included in ‘ratproxy-report.sh’ output.
Since recent Flash vulnerabilities make the platform a major
potential cross-site scripting vector, it is advisable to
enable this feature.
-s
Tells ratproxy to log all POST requests for further analysis
and processing, in a separate section of the final report.
This is useful for bookkeeping and manual review, since POST
features are particularly likely to expose certain security
design flaws.
-c
Enables logging of all URLs that seem to set cookies,
regardless of their presumed security impact. Again, useful for
manual design analysis and bookkeeping. Not expected to
contribute much noise to the report.
-g
Extends XSRF token validation checks to GET requests. By
default, the proxy requires anti-XSRF protection on POST
requests and cookie setters only. Some applications tend to
perform state changing operations via GET requests, too, and
so with this option enabled, additional data will be collected
and analyzed.
This feature is verbose, but useful for certain application
designs.
-X
Tells the proxy to log all URLs that seem to be particularly
well-suited for further, external XSS testing (by the virtue
of being echoed on the page in a particular manner). By
default, ratproxy will not actually attempt to confirm these
vectors (-X option enables disruptive checking, however) – but
you will be able to use the data for manual testing or as
input to third-party software.
Generally recommended, unless it proves to be too noisy.
-m
Enables logging of “active” content referenced across domain
boundaries to detect patterns such as remote image inclusion
or remote linking (note that logging of remote script or
stylesheet inclusion is enabled at all times).
This option has an effect only when a proper set of domains
is specified with -d command-line parameter – and is
recommended for sites where a careful control of cross-domain
trust relationships needs to be ensured.
-l
Ratproxy sometimes needs to tell if a page has substantially
changed between two requests to better qualify the risks
associated with some observations. By default, this is
achieved through strict page checksum comparison (MD5). This
options enables an alternative, relaxed checking mode that
relies on page length comparison instead.
Since some services tend to place dynamically generated
tokens on rendered pages, it is generally advisable to enable
this mode most of the time.
