Running ratproxy on Windows

I never use Ratproxy any longer, relying on other tools, including Skipfish (from the same author).

Here is how, for posterity, one can run it on Windows…

1.    Install cygwin (http://cygwin.com/install.html)

2.    Down (http://code.google.com/p/ratproxy/) and Build (http://www.butterdev.com/web-security/2008/07/google-ratproxy-web-application-security-audit-tool/) Ratproxy

3.    Run ($ ./ratproxy -v TEST -w report -d target.host -lfscmxt)

4.    Configure browser proxy to port 8080, browse target.host

5.    Ctrl-C when done

6.    Run ($ ./ratproxy-report.sh report > NiceReport.html) to generate “NiceReport.html”

Here are the meanings of each flag

-X

Enables active testing. When this option is provided,

ratproxy will attempt to actively, disruptively validate the

robustness of XSS and XSRF defenses whenever such a check is

deemed necessary.

By the virtue of doing passive preselection, this does not

generate excessive traffic and maintains the same level of

coverage as afforded in passive mode.

The downside is that these additional requests may disrupt

the application or even trigger persistent problems; as such,

please exercise caution when using it against mission-critical

production systems.

-t

By default, ratproxy logs some of the most likely directory

traversal candidates. This option tells the proxy to log less

probable guesses, too. These are good leads for manual testing

or as input to an external application.

Generally recommended, unless it proves to be too noisy.

 

-f

With this option enabled, the proxy will log all Flash

applications encountered for further analysis. This is

particularly useful when combined with -v, in which case, Flash

files will be automatically disassembled and conveniently

included in ‘ratproxy-report.sh’ output.

 

Since recent Flash vulnerabilities make the platform a major

potential cross-site scripting vector, it is advisable to

enable this feature.

-s

Tells ratproxy to log all POST requests for further analysis

and processing, in a separate section of the final report.

This is useful for bookkeeping and manual review, since POST

features are particularly likely to expose certain security

design flaws.

-c

Enables logging of all URLs that seem to set cookies,

regardless of their presumed security impact. Again, useful for

manual design analysis and bookkeeping. Not expected to

contribute much noise to the report.

-g

Extends XSRF token validation checks to GET requests. By

default, the proxy requires anti-XSRF protection on POST

requests and cookie setters only. Some applications tend to

perform state changing operations via GET requests, too, and

so with this option enabled, additional data will be collected

and analyzed.

 

This feature is verbose, but useful for certain application

designs.

-X

Tells the proxy to log all URLs that seem to be particularly

well-suited for further, external XSS testing (by the virtue

of being echoed on the page in a particular manner). By

default, ratproxy will not actually attempt to confirm these

vectors (-X option enables disruptive checking, however) – but

you will be able to use the data for manual testing or as

input to third-party software.

Generally recommended, unless it proves to be too noisy.

-m

Enables logging of “active” content referenced across domain

boundaries to detect patterns such as remote image inclusion

or remote linking (note that logging of remote script or

stylesheet inclusion is enabled at all times).

 

This option has an effect only when a proper set of domains

is specified with -d command-line parameter – and is

recommended for sites where a careful control of cross-domain

trust relationships needs to be ensured.

-l

Ratproxy sometimes needs to tell if a page has substantially

changed between two requests to better qualify the risks

associated with some  observations. By default, this is

achieved through strict page checksum comparison (MD5). This

options enables an alternative, relaxed checking mode that

relies on page length comparison instead.

 

Since some services tend to place dynamically generated

tokens on rendered pages, it is generally advisable to enable

this mode most of the time.

https://twitter.com/0utlaw

Advertisements
This entry was posted in Computers and Internet and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s