[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: [WEB SECURITY] [tool] Watcher 1.3.0 passive Web-vulnerability testing
From: "Chris Weber" <chris () casabasecurity ! com>
Date: 2010-02-25 19:04:38
Message-ID: 019a01cab64d$6316dc20$29449460$ () com
[Download RAW message or body]
A new update to the Watcher passive vulnerability detection and security testing tool \
has been released. Watcher is an open source addon to the Fiddler Web proxy that aids \
developers, auditors, and penetration testers in finding Web-application security \
issues as well as hot-spots for deeper review. Among other things, we've added new \
checks to identify the insecure ViewState issues as recently reported by Trustwave's \
SpiderLabs [1].
You can read this announcement at http://www.casabasecurity.com/blog/ or download \
Watcher from CodePlex at http://websecuritytool.codeplex.com/. A short list of new \
features and improvements includes:
- A separate, optional component to export results to Team Foundation Server.
- New check to identify insecure ASP.NET VIEWSTATE configurations subject to \
tampering and pervasive XSS attacks.
- New check to identify insecure JavaServer MyFaces ViewState subject to tampering \
and XSS attacks.
- New check for Silverlight EnableHtmlAccess.
- Export results to HTML report.
- Compliance mappings to Microsoft SDL.
- If no origin domain is specified, each response domain will be treated as the \
origin, enabling better cross-domain analysis.
- Assorted bug fixes and improvements.
Bryan Sullivan and Patrick Toomey's ViewStateViewer plugin [2] provided inspiration \
for detecting ASP.NET VIEWSTATE MAC protection. When testing .NET 4.0 we discovered a \
change in the MAC implementation which has also been accounted for in this check. \
David Byrne from Trustwave [1] provided most of the methodology ideas for detecting \
insecure JavaServer MyFaces ViewState.
In addition to the main developers (Robert Mooney and Samuel Bucholtz), we wanted to \
thank everyone who helped or provided suggestions for this release:
Hidetake Jo
Bryan Sullivan
David Byrne
Jason D. Montgomery
Dave Wichers
We welcome any criticism, suggestions, check ideas, and bug reports.
- Chris Weber
[1] Trustwave advisory \
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
[2] ViewStateViewer plugin for Fiddler \
http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>A new update to the Watcher passive vulnerability detection
and security testing tool has been released. Watcher is an open source addon to
the Fiddler Web proxy that aids developers, auditors, and penetration testers
in finding Web-application security issues as well as hot-spots for deeper review.
Among other things, we've added new checks to identify the insecure ViewState
issues as recently reported by Trustwave's SpiderLabs [1]. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>You can read this announcement at <a
href="http://www.casabasecurity.com/blog/">http://www.casabasecurity.com/blog/</a>
or download Watcher from CodePlex at <a
href="http://websecuritytool.codeplex.com/">http://websecuritytool.codeplex.com/</a>.
A short list of new features and improvements includes:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>- A separate, optional component to export results to Team
Foundation Server.<o:p></o:p></p>
<p class=MsoNormal>- New check to identify insecure ASP.NET VIEWSTATE
configurations subject to tampering and pervasive XSS attacks. <o:p></o:p></p>
<p class=MsoNormal>- New check to identify insecure JavaServer MyFaces
ViewState subject to tampering and XSS attacks. <o:p></o:p></p>
<p class=MsoNormal>- New check for Silverlight EnableHtmlAccess.<o:p></o:p></p>
<p class=MsoNormal>- Export results to HTML report.<o:p></o:p></p>
<p class=MsoNormal>- Compliance mappings to Microsoft SDL.<o:p></o:p></p>
<p class=MsoNormal>- If no origin domain is specified, each response domain
will be treated as the origin, enabling better cross-domain analysis.<o:p></o:p></p>
<p class=MsoNormal>- Assorted bug fixes and improvements.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Bryan Sullivan and Patrick Toomey's ViewStateViewer plugin
[2] provided inspiration for detecting ASP.NET VIEWSTATE MAC protection. When
testing .NET 4.0 we discovered a change in the MAC implementation which has
also been accounted for in this check. David Byrne from Trustwave [1] provided
most of the methodology ideas for detecting insecure JavaServer MyFaces
ViewState.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>In addition to the main developers (Robert Mooney and Samuel
Bucholtz), we wanted to thank everyone who helped or provided suggestions for
this release:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Hidetake Jo<o:p></o:p></p>
<p class=MsoNormal>Bryan Sullivan<o:p></o:p></p>
<p class=MsoNormal>David Byrne<o:p></o:p></p>
<p class=MsoNormal>Jason D. Montgomery<o:p></o:p></p>
<p class=MsoNormal>Dave Wichers<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>We welcome any criticism, suggestions, check ideas, and bug
reports. <o:p></o:p></p>
<p class=MsoNormal>- Chris Weber<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[1] Trustwave advisory
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt<o:p></o:p></p>
<p class=MsoNormal>[2] ViewStateViewer plugin for Fiddler
http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/<o:p></o:p></p>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic