ratproxy – Passive Web Application Security Audit Tool

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors – most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:


Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.

Posted in: Hacking Tools, Web Hacking

, , ,

Latest Posts:

GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.

7 Responses to ratproxy – Passive Web Application Security Audit Tool

  1. Navin July 3, 2008 at 9:46 am #

    something very funny happened

    I’ve been reading darknet for a long time through this PC widout any problem but when I clicked on this very article my isp blocked it (maybe coz of the word proxy in the web-address)…so i’m currently reading this through a circumventor….hehe….you can’t keep me away frm darknet Mr. managerofmyisp


  2. razta July 3, 2008 at 10:19 am #

    This tool is used and coded by Google:

    “We feel it will be a valuable contribution to the information security
    community, helping advance the community’s understanding of security challenges associated with contemporary web technologies.” Google security engineer Michal Zalewski

  3. grav July 3, 2008 at 8:03 pm #

    Suppose the UK passes the law banning the use of “hacking tools”
    Will this still be banned?

    Stuff that the government does brings up questions about the ethics of government. Sure…people do bad stuff with hacking tools. Even the purpose of most hacking tools is usually nefarious. Does that mean that the gov’nt has the power to take away the right to bear arms? A gun’s purpose is to kill, but it can be used for better means. The same way, hacking tools can be used to hack or to prevent hacking!

    I agree with Michal Zalewski on how this tool will help web communities.

  4. razta July 3, 2008 at 9:39 pm #

    Maybe we will soon need a ‘special’ license to run ‘hacking’ software, just like you do with guns. Why do MP’s make decisions on topics they havent got a clue about?

  5. Sandeep Nain July 4, 2008 at 12:08 am #

    One more good step taken by google…..
    Giving one of their very important internal tool for free.
    hats off to google…

    @grav, yes this tool will be banned if the law against hacking tools is implemented But I don’t really think that this law will be passed at all. Fingers crossed.

  6. Navin July 9, 2008 at 9:04 am #

    grav makes a very good point!! hacking tools can be used to hack or to prevent hacking!! But frankly, issueing something like licences for these tools will simply increase the view tht hacking is all bad!

    Cmon, just consider guns….. the general assumption in this age is tht they are bad, but in ages before licences they were considered as protection devices for the rich and famous!!

    @ razta: isn’t tht wht they’re spozed to do?? interfere into unknown territory and mess up so bad tht they get removed and then get replaced?? i hope you remember tht Kevin Mitnick never ran for the post of MP!! ;)

  7. zupakomputer July 9, 2008 at 9:38 pm #

    Personally I doubt they’d not pass that law; they’ve outlawed smoking in cafes and pubs for f**ks sake so they won’t bat an eyelid at making stuff that has anything to do with ‘hacker’ illegal. They know they can get away with anything when they’ve been allowed to stop cig smoking in nightclubs. And the same Euro-nutters have the cheek to boycott the Olympics cause China are bad to Tibet…..like they have a track record for human rights either.

    Not that it’ll make any difference to it’s avalibility if they do; they made drugs illegal too and that business has increased about a billion fold, with many new product additions invented, since the 1970s when those laws largely were put into place.

    “I’ll tell you this: no eternal reward will forgive us now for wasting the dawn.”

    Anyone that thinks they can stop me looking at net traffic can go Jump Off A Cliff Simulator. I’ll trainspott all I want.