Finding The Hotspots: Web-Security Testing With The Watcher Tool
No ratings
Presented at OWASP Appsec 2009 by
Note: To participate, please come with Fiddler and the Watcher tool (http://websecuritytool.codeplex.com) installed for the hands-on session. Pen-testers like to find bugs. Auditors like to find issues. Developers wish they would all go away. And what's everyone end up doing - running scanners, static analysis tools, instrumentation and code reviews. Watcher is a passive Web-app testing tool released as an Open Source project. It fills an important gap & it assists during the manual runtime testing process. It's literally as simple as it gets, you click 'enable', browse your web-app, and watch the findings start popping up. Watcher silently examines all traffic and makes logical decisions to identify real issues. There's low-overhead required, and nothing intrusive. Watcher works as a manual reviewer's assistant. For auditors if finds the policy violations Watcher finds. For developers it will find the configuration issues and design weaknesses. For the pen-tester, Watcher provides all this plus real 'hot-spot' detection. With a view of the hot-spots, pen-testers know where to look closer to find deeper issues leading to cross-site scripting and other important vulnerabilities. Watcher has been in development for some time and includes over 35 checks. This presentation intends to demonstrate this Open Source tool, discussing some of the checks and vulnerabilities in detail, and present the extensibility model.