The Ratproxy security scanner looks for vulnerabilities in web applications
The Showdown
Pressing Ctrl+C terminates the Ratproxy test. The results of the analysis land in the slightly cryptic ratproxy.log file, which is designed for easy machine readability and for cooperation with grep (Figure 3). Until new tools appear, you can use the ratproxy-report.sh script to generate a more intuitive HTML report:
./ratproxy-report.sh ratproxy.log > report.html
The report looks like that in Figure 4: The list presents the problems identified by Ratproxy, sorted by type and importance. Critical security risks are highlighted with a neon red HIGH. Toggle shows or hides the messages in a specific section, and view trace opens the trace (i.e., the sniffed communications) from the tmp directory.
At this point, the user is left to interpret the results. To do so, you need expert knowledge of both computer security and forensics and details of the application you are testing. After all, it makes little sense for Ratproxy to warn you about a potential cross-site scripting risk if you are unable to close the gap. In other cases, Ratproxy lists generic issues that do not necessarily represent a security risk.
Conclusions
Because Ratproxy works entirely autonomously, you cannot inject your own test data into the web application to confirm your suspicions. Ratproxy can only report on the vulnerabilities it detects in the parts of the web application it actually investigates. (See the box titled "What the Rat Catcher Reveals.") The developers are aware that their product is not perfect, and they ask for suggestions, improvements, and details of any security issues Ratproxy fails to identify.
What the Rat Catcher Reveals
Ratproxy checks the dialog for the following:
- standards compliance, such as the correct use of MIME types (e.g., has a GIF image been served up as image/jpeg?)
- insecure responses, particularly with JSON and similar data formats
- cross-site scripting (XSS) attack vectors
- cross-site request forgery (XSRF) attack vectors; Ratproxy focuses in particular on embedded security tokens and predictable URLs
- data injection vectors, such as SQL injection
- risky JavaScript, OGNL and Java constructions
- incorrect use of cookies
- suspicious Flash objects
- directory traversal vectors
- incorrect use of caching
- suspicious redirects
The messages.list file supplied with the source code archive gives you details of the problems Ratproxy logs.
Remember that Ratproxy is still beta. Don't be surprised to see some false positives, and don't rely on Ratproxy to the exclusion of all other tools. If you are willing to work around the quirks, Ratproxy it is still a useful addition to your security testing toolbox.
Ratproxy is still far from being a panacea. It does not give you a full list of unresolved vulnerabilities, nor does it help you resolve the issues it detects. Interpreting the results requires expert knowledge of web security.
What Ratproxy does do is reliably point you in the direction of potential issues, vulnerabilities, and poor code. If Google continues to refine its tool and can attract third-party vendors to dock at Ratproxy's open interfaces, Ratproxy could develop into a test jewel for web applications.
Infos
- Ratproxy: http://code.google.com/p/ratproxy
- Chorizo: https://chorizo-scanner.com
- Burp Suite: http://portswigger.net/suite
- Flash decompiler Flare: http://www.nowrap.de/flare.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
News
-
Red Hat Enterprise Linux 7.5 Released
The latest release is focused on hybrid cloud.
-
Microsoft Releases a Linux-Based OS
The company is building a new IoT environment powered by Linux.
-
Solomon Hykes Leaves Docker
In a surprise move, Solomon Hykes, the creator of Docker has left the company.
-
Red Hat Celebrates 25th Anniversary with a New Code Portal
The company announces a GitHub page with links to source code for all its projects
-
Gnome 3.28 Released
The latest GNOME rolls out with better contact management and new features for handling virtual machines.
-
Install Firefox in a Snap on Linux
Mozilla has picked the Snap package system to deliver its application to Linux users.
-
OpenStack Queens Released
The new release comes with new features for mission critical workloads.
-
Kali Linux Comes to Windows
The Kali Linux developers even managed to run full blown XFCE desktop via WSL.
-
Ubuntu to Start Collecting Some Data with Ubuntu 18.04
It will be an ‘opt-out’ feature.
-
CNCF Illuminates Serverless Vision
The Cloud Native Computing Foundation announces a paper describing their model for a serverless ecosystem.