The Ratproxy security scanner looks for vulnerabilities in web applications
Pressing Ctrl+C terminates the Ratproxy test. The results of the analysis land in the slightly cryptic ratproxy.log file, which is designed for easy machine readability and for cooperation with grep (Figure 3). Until new tools appear, you can use the ratproxy-report.sh script to generate a more intuitive HTML report:
./ratproxy-report.sh ratproxy.log > report.html
The report looks like that in Figure 4: The list presents the problems identified by Ratproxy, sorted by type and importance. Critical security risks are highlighted with a neon red HIGH. Toggle shows or hides the messages in a specific section, and view trace opens the trace (i.e., the sniffed communications) from the tmp directory.
At this point, the user is left to interpret the results. To do so, you need expert knowledge of both computer security and forensics and details of the application you are testing. After all, it makes little sense for Ratproxy to warn you about a potential cross-site scripting risk if you are unable to close the gap. In other cases, Ratproxy lists generic issues that do not necessarily represent a security risk.
Because Ratproxy works entirely autonomously, you cannot inject your own test data into the web application to confirm your suspicions. Ratproxy can only report on the vulnerabilities it detects in the parts of the web application it actually investigates. (See the box titled "What the Rat Catcher Reveals.") The developers are aware that their product is not perfect, and they ask for suggestions, improvements, and details of any security issues Ratproxy fails to identify.
What the Rat Catcher Reveals
Ratproxy checks the dialog for the following:
- standards compliance, such as the correct use of MIME types (e.g., has a GIF image been served up as image/jpeg?)
- insecure responses, particularly with JSON and similar data formats
- cross-site scripting (XSS) attack vectors
- cross-site request forgery (XSRF) attack vectors; Ratproxy focuses in particular on embedded security tokens and predictable URLs
- data injection vectors, such as SQL injection
- suspicious Flash objects
- directory traversal vectors
- incorrect use of caching
- suspicious redirects
The messages.list file supplied with the source code archive gives you details of the problems Ratproxy logs.
Remember that Ratproxy is still beta. Don't be surprised to see some false positives, and don't rely on Ratproxy to the exclusion of all other tools. If you are willing to work around the quirks, Ratproxy it is still a useful addition to your security testing toolbox.
Ratproxy is still far from being a panacea. It does not give you a full list of unresolved vulnerabilities, nor does it help you resolve the issues it detects. Interpreting the results requires expert knowledge of web security.
What Ratproxy does do is reliably point you in the direction of potential issues, vulnerabilities, and poor code. If Google continues to refine its tool and can attract third-party vendors to dock at Ratproxy's open interfaces, Ratproxy could develop into a test jewel for web applications.
Buy this article as PDF
Klaus Knopper announces the latest version of his iconic Live Linux system.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.
Redmond rushes in to root out alleged malware haven.
New initiative will bring futuristic virtual reality effects to the web surfing experience.
Dyreza malware launches a man-in-the-middle attack that compromises SSL.
New cloud combines worldwide access with local attention to data security.