ratproxy – Passive Web Application Security Audit Tool

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors – most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:


Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.

Posted in: Hacking Tools, Web Hacking

, , ,

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

7 Responses to ratproxy – Passive Web Application Security Audit Tool

  1. Navin July 3, 2008 at 9:46 am #

    something very funny happened

    I’ve been reading darknet for a long time through this PC widout any problem but when I clicked on this very article my isp blocked it (maybe coz of the word proxy in the web-address)…so i’m currently reading this through a circumventor….hehe….you can’t keep me away frm darknet Mr. managerofmyisp


  2. razta July 3, 2008 at 10:19 am #

    This tool is used and coded by Google:

    “We feel it will be a valuable contribution to the information security
    community, helping advance the community’s understanding of security challenges associated with contemporary web technologies.” Google security engineer Michal Zalewski

  3. grav July 3, 2008 at 8:03 pm #

    Suppose the UK passes the law banning the use of “hacking tools”
    Will this still be banned?

    Stuff that the government does brings up questions about the ethics of government. Sure…people do bad stuff with hacking tools. Even the purpose of most hacking tools is usually nefarious. Does that mean that the gov’nt has the power to take away the right to bear arms? A gun’s purpose is to kill, but it can be used for better means. The same way, hacking tools can be used to hack or to prevent hacking!

    I agree with Michal Zalewski on how this tool will help web communities.

  4. razta July 3, 2008 at 9:39 pm #

    Maybe we will soon need a ‘special’ license to run ‘hacking’ software, just like you do with guns. Why do MP’s make decisions on topics they havent got a clue about?

  5. Sandeep Nain July 4, 2008 at 12:08 am #

    One more good step taken by google…..
    Giving one of their very important internal tool for free.
    hats off to google…

    @grav, yes this tool will be banned if the law against hacking tools is implemented But I don’t really think that this law will be passed at all. Fingers crossed.

  6. Navin July 9, 2008 at 9:04 am #

    grav makes a very good point!! hacking tools can be used to hack or to prevent hacking!! But frankly, issueing something like licences for these tools will simply increase the view tht hacking is all bad!

    Cmon, just consider guns….. the general assumption in this age is tht they are bad, but in ages before licences they were considered as protection devices for the rich and famous!!

    @ razta: isn’t tht wht they’re spozed to do?? interfere into unknown territory and mess up so bad tht they get removed and then get replaced?? i hope you remember tht Kevin Mitnick never ran for the post of MP!! ;)

  7. zupakomputer July 9, 2008 at 9:38 pm #

    Personally I doubt they’d not pass that law; they’ve outlawed smoking in cafes and pubs for f**ks sake so they won’t bat an eyelid at making stuff that has anything to do with ‘hacker’ illegal. They know they can get away with anything when they’ve been allowed to stop cig smoking in nightclubs. And the same Euro-nutters have the cheek to boycott the Olympics cause China are bad to Tibet…..like they have a track record for human rights either.

    Not that it’ll make any difference to it’s avalibility if they do; they made drugs illegal too and that business has increased about a billion fold, with many new product additions invented, since the 1970s when those laws largely were put into place.

    “I’ll tell you this: no eternal reward will forgive us now for wasting the dawn.”

    Anyone that thinks they can stop me looking at net traffic can go Jump Off A Cliff Simulator. I’ll trainspott all I want.