ratproxy – Passive Web Application Security Audit Tool

Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors – most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:


Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.

Posted in: Hacking Tools, Web Hacking

, , ,

Latest Posts:

Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.
Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)

7 Responses to ratproxy – Passive Web Application Security Audit Tool

  1. Navin July 3, 2008 at 9:46 am #

    something very funny happened

    I’ve been reading darknet for a long time through this PC widout any problem but when I clicked on this very article my isp blocked it (maybe coz of the word proxy in the web-address)…so i’m currently reading this through a circumventor….hehe….you can’t keep me away frm darknet Mr. managerofmyisp


  2. razta July 3, 2008 at 10:19 am #

    This tool is used and coded by Google:

    “We feel it will be a valuable contribution to the information security
    community, helping advance the community’s understanding of security challenges associated with contemporary web technologies.” Google security engineer Michal Zalewski

  3. grav July 3, 2008 at 8:03 pm #

    Suppose the UK passes the law banning the use of “hacking tools”
    Will this still be banned?

    Stuff that the government does brings up questions about the ethics of government. Sure…people do bad stuff with hacking tools. Even the purpose of most hacking tools is usually nefarious. Does that mean that the gov’nt has the power to take away the right to bear arms? A gun’s purpose is to kill, but it can be used for better means. The same way, hacking tools can be used to hack or to prevent hacking!

    I agree with Michal Zalewski on how this tool will help web communities.

  4. razta July 3, 2008 at 9:39 pm #

    Maybe we will soon need a ‘special’ license to run ‘hacking’ software, just like you do with guns. Why do MP’s make decisions on topics they havent got a clue about?

  5. Sandeep Nain July 4, 2008 at 12:08 am #

    One more good step taken by google…..
    Giving one of their very important internal tool for free.
    hats off to google…

    @grav, yes this tool will be banned if the law against hacking tools is implemented But I don’t really think that this law will be passed at all. Fingers crossed.

  6. Navin July 9, 2008 at 9:04 am #

    grav makes a very good point!! hacking tools can be used to hack or to prevent hacking!! But frankly, issueing something like licences for these tools will simply increase the view tht hacking is all bad!

    Cmon, just consider guns….. the general assumption in this age is tht they are bad, but in ages before licences they were considered as protection devices for the rich and famous!!

    @ razta: isn’t tht wht they’re spozed to do?? interfere into unknown territory and mess up so bad tht they get removed and then get replaced?? i hope you remember tht Kevin Mitnick never ran for the post of MP!! ;)

  7. zupakomputer July 9, 2008 at 9:38 pm #

    Personally I doubt they’d not pass that law; they’ve outlawed smoking in cafes and pubs for f**ks sake so they won’t bat an eyelid at making stuff that has anything to do with ‘hacker’ illegal. They know they can get away with anything when they’ve been allowed to stop cig smoking in nightclubs. And the same Euro-nutters have the cheek to boycott the Olympics cause China are bad to Tibet…..like they have a track record for human rights either.

    Not that it’ll make any difference to it’s avalibility if they do; they made drugs illegal too and that business has increased about a billion fold, with many new product additions invented, since the 1970s when those laws largely were put into place.

    “I’ll tell you this: no eternal reward will forgive us now for wasting the dawn.”

    Anyone that thinks they can stop me looking at net traffic can go Jump Off A Cliff Simulator. I’ll trainspott all I want.