Home page logo

basics logo Security Basics mailing list archives

Re: ratproxy issues
From: "Alonso Caballero Quezada / ReYDeS" <reydes () gmail com>
Date: Mon, 10 Nov 2008 12:09:20 -0500


Hey Alonso,

I would like to talk about the use of ratproxy, and the issues reported.

1- Test Phase

I test the systems with the following parameters:
-XCrlfscmetigj  (for active testing).

What parameteres do you use?


# ./ratproxy -w /tmp/ratlog -v /tmp/rattraces -2 -e -x -t -i -f -s -c
-g -j -X -C -d www.midominio.net

To perform the test I click on every app´s link, but it is a little boring,
and there´s a risk of forgeting some link. Let alone a big one.

How do you proceed to test your apps?

Here you have to do a mix of automated check and verification manual.
The best of guides OWASP

2- Issues Phase

Ratproxy reported some high risk issues, so I need to understand then in
order to convince the developers.

I´ve found found this link http://code.google.com/p/doctype/wiki/ArticlesXSS
that explain many of the threats reported by ratproxy.

What approach do you use in order to convince the developers team about the
risks exposed?

Although ratproxy minimizes false positives, is due to conduct a
manual verification of results.
Again. OWASP Development Guide 2.0 X)

Is there any comparison between ratproxy and other pen test tools?

RatsProxy is a "passive" web application security audit tool.
Should use multiple tools to do a good job.


  No problem.


Alonso Caballero Quezada aka ReYDeS - ReYDeS () gmail com
GIAC Computer and Network Security Awareness (SSP-CNSA)
http://alonsocaballero.informatizate.net - LRU #307242
PeruSEC.org - informatizate.net - NoticiasTrujillo.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]