ratproxy – Passive Web Application Security Audit Tool

Keep on Guard!


Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Why Ratproxy?

There are numerous alternative proxy tools meant to aid security auditors – most notably WebScarab, Paros, Burp, ProxMon, and Pantera. Stick with whatever suits your needs, as long as you get the data you need in the format you like.

That said, ratproxy is there for a reason. It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

You can download Ratproxy here:

ratproxy-1.51.tar.gz

Or read more here.

The tool should run on Linux, *BSD, MacOS X, and Windows (Cygwin). Since it is in beta, there might be some kinks to be ironed out, and not all web technologies might be properly accounted for.

Posted in: Hacking Tools, Web Hacking

, , ,


Latest Posts:


OSSIM Download - Open Source SIEM Tools & Software OSSIM Download – Open Source SIEM Tools & Software
OSSIM is a popular Open Source SIEM or Security Information and Event Management (SIEM) product, providing event collection, normalization and correlation.
What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.


7 Responses to ratproxy – Passive Web Application Security Audit Tool

  1. Navin July 3, 2008 at 9:46 am #

    something very funny happened

    I’ve been reading darknet for a long time through this PC widout any problem but when I clicked on this very article my isp blocked it (maybe coz of the word proxy in the web-address)…so i’m currently reading this through a circumventor….hehe….you can’t keep me away frm darknet Mr. managerofmyisp

    hehe

  2. razta July 3, 2008 at 10:19 am #

    This tool is used and coded by Google:

    “We feel it will be a valuable contribution to the information security
    community, helping advance the community’s understanding of security challenges associated with contemporary web technologies.” Google security engineer Michal Zalewski

  3. grav July 3, 2008 at 8:03 pm #

    Suppose the UK passes the law banning the use of “hacking tools”
    Will this still be banned?

    Stuff that the government does brings up questions about the ethics of government. Sure…people do bad stuff with hacking tools. Even the purpose of most hacking tools is usually nefarious. Does that mean that the gov’nt has the power to take away the right to bear arms? A gun’s purpose is to kill, but it can be used for better means. The same way, hacking tools can be used to hack or to prevent hacking!

    I agree with Michal Zalewski on how this tool will help web communities.

  4. razta July 3, 2008 at 9:39 pm #

    Maybe we will soon need a ‘special’ license to run ‘hacking’ software, just like you do with guns. Why do MP’s make decisions on topics they havent got a clue about?

  5. Sandeep Nain July 4, 2008 at 12:08 am #

    One more good step taken by google…..
    Giving one of their very important internal tool for free.
    hats off to google…

    @grav, yes this tool will be banned if the law against hacking tools is implemented But I don’t really think that this law will be passed at all. Fingers crossed.

  6. Navin July 9, 2008 at 9:04 am #

    grav makes a very good point!! hacking tools can be used to hack or to prevent hacking!! But frankly, issueing something like licences for these tools will simply increase the view tht hacking is all bad!

    Cmon, just consider guns….. the general assumption in this age is tht they are bad, but in ages before licences they were considered as protection devices for the rich and famous!!

    @ razta: isn’t tht wht they’re spozed to do?? interfere into unknown territory and mess up so bad tht they get removed and then get replaced?? i hope you remember tht Kevin Mitnick never ran for the post of MP!! ;)

  7. zupakomputer July 9, 2008 at 9:38 pm #

    Personally I doubt they’d not pass that law; they’ve outlawed smoking in cafes and pubs for f**ks sake so they won’t bat an eyelid at making stuff that has anything to do with ‘hacker’ illegal. They know they can get away with anything when they’ve been allowed to stop cig smoking in nightclubs. And the same Euro-nutters have the cheek to boycott the Olympics cause China are bad to Tibet…..like they have a track record for human rights either.

    Not that it’ll make any difference to it’s avalibility if they do; they made drugs illegal too and that business has increased about a billion fold, with many new product additions invented, since the 1970s when those laws largely were put into place.

    “I’ll tell you this: no eternal reward will forgive us now for wasting the dawn.”

    Anyone that thinks they can stop me looking at net traffic can go Jump Off A Cliff Simulator. I’ll trainspott all I want.