Home page logo

webappsec logo WebApp Sec mailing list archives

[tool] Watcher 1.3.0 passive Web-vulnerability testing
From: "Chris Weber" <chris () casabasecurity com>
Date: Thu, 25 Feb 2010 11:13:09 -0800

A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an 
open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding 
Web-application security issues as well as hot-spots for deeper review. Among other things, we’ve added new checks to 
identify the insecure ViewState issues as recently reported by Trustwave’s SpiderLabs [1]. 

You can read this announcement at http://www.casabasecurity.com/blog/ or download Watcher from CodePlex at 
http://websecuritytool.codeplex.com/.  A short list of new features and improvements includes:

- A separate, optional component to export results to Team Foundation Server.
- New check to identify insecure ASP.NET VIEWSTATE configurations subject to tampering and pervasive XSS attacks. 
- New check to identify insecure JavaServer MyFaces ViewState subject to tampering and XSS attacks. 
- New check for Silverlight EnableHtmlAccess.
- Export results to HTML report.
- Compliance mappings to Microsoft SDL.
- If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain 
- Assorted bug fixes and improvements.

Bryan Sullivan and Patrick Toomey’s ViewStateViewer plugin [2] provided inspiration for detecting ASP.NET VIEWSTATE MAC 
protection. When testing .NET 4.0 we discovered a change in the MAC implementation which has also been accounted for in 
this check. David Byrne from Trustwave [1] provided most of the methodology ideas for detecting insecure JavaServer 
MyFaces ViewState.

In addition to the main developers (Robert Mooney and Samuel Bucholtz), we wanted to thank everyone who helped or 
provided suggestions for this release:

Hidetake Jo
Bryan Sullivan
David Byrne
Jason D. Montgomery
Dave Wichers

We welcome any criticism, suggestions, check ideas, and bug reports. 
- Chris Weber

[1] Trustwave advisory https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
[2] ViewStateViewer plugin for Fiddler 

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

  By Date           By Thread  

Current thread:
  • [tool] Watcher 1.3.0 passive Web-vulnerability testing Chris Weber (Feb 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]