03 July 2008 | 7,323 views

ratproxy – Passive Web Application Security Audit Tool

Check For Vulnerabilities with Acunetix

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors – most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:

ratproxy-1.51.tar.gz

Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.



Recent in Hacking Tools:
- dirs3arch – HTTP File & Directory Brute Forcing Tool
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security
- SHODAN – Expose Online Devices (Wind Turbines, Power Plants & More!)

Related Posts:
- skipfish – Automated Web Application Security Reconnaissance Tool
- Samurai Web Testing Framework 0.6 Released – Web Application Security LiveCD
- Samurai Web Testing Framework – Web Application Security LiveCD

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,857,051 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,042,378 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 618,706 views

Low-cost VPS Hosting

7 Responses to “ratproxy – Passive Web Application Security Audit Tool”

  1. Navin 3 July 2008 at 9:46 am Permalink

    something very funny happened

    I’ve been reading darknet for a long time through this PC widout any problem but when I clicked on this very article my isp blocked it (maybe coz of the word proxy in the web-address)…so i’m currently reading this through a circumventor….hehe….you can’t keep me away frm darknet Mr. managerofmyisp

    hehe

  2. razta 3 July 2008 at 10:19 am Permalink

    This tool is used and coded by Google:

    “We feel it will be a valuable contribution to the information security
    community, helping advance the community’s understanding of security challenges associated with contemporary web technologies.” Google security engineer Michal Zalewski

  3. grav 3 July 2008 at 8:03 pm Permalink

    Suppose the UK passes the law banning the use of “hacking tools”
    Will this still be banned?

    Stuff that the government does brings up questions about the ethics of government. Sure…people do bad stuff with hacking tools. Even the purpose of most hacking tools is usually nefarious. Does that mean that the gov’nt has the power to take away the right to bear arms? A gun’s purpose is to kill, but it can be used for better means. The same way, hacking tools can be used to hack or to prevent hacking!

    I agree with Michal Zalewski on how this tool will help web communities.

  4. razta 3 July 2008 at 9:39 pm Permalink

    Maybe we will soon need a ‘special’ license to run ‘hacking’ software, just like you do with guns. Why do MP’s make decisions on topics they havent got a clue about?

  5. Sandeep Nain 4 July 2008 at 12:08 am Permalink

    One more good step taken by google…..
    Giving one of their very important internal tool for free.
    hats off to google…

    @grav, yes this tool will be banned if the law against hacking tools is implemented But I don’t really think that this law will be passed at all. Fingers crossed.

  6. Navin 9 July 2008 at 9:04 am Permalink

    grav makes a very good point!! hacking tools can be used to hack or to prevent hacking!! But frankly, issueing something like licences for these tools will simply increase the view tht hacking is all bad!

    Cmon, just consider guns….. the general assumption in this age is tht they are bad, but in ages before licences they were considered as protection devices for the rich and famous!!

    @ razta: isn’t tht wht they’re spozed to do?? interfere into unknown territory and mess up so bad tht they get removed and then get replaced?? i hope you remember tht Kevin Mitnick never ran for the post of MP!! ;)

  7. zupakomputer 9 July 2008 at 9:38 pm Permalink

    Personally I doubt they’d not pass that law; they’ve outlawed smoking in cafes and pubs for f**ks sake so they won’t bat an eyelid at making stuff that has anything to do with ‘hacker’ illegal. They know they can get away with anything when they’ve been allowed to stop cig smoking in nightclubs. And the same Euro-nutters have the cheek to boycott the Olympics cause China are bad to Tibet…..like they have a track record for human rights either.

    Not that it’ll make any difference to it’s avalibility if they do; they made drugs illegal too and that business has increased about a billion fold, with many new product additions invented, since the 1970s when those laws largely were put into place.

    “I’ll tell you this: no eternal reward will forgive us now for wasting the dawn.”

    Anyone that thinks they can stop me looking at net traffic can go Jump Off A Cliff Simulator. I’ll trainspott all I want.