OWASP Fiddler Addons for Security Testing Project - Revision history

Kait Disney-Leugers at 19:57, 23 January 2014

2014-01-23T19:57:12Z

Kait Disney-Leugers at 18:40, 23 January 2014

2014-01-23T18:40:29Z

Kait Disney-Leugers at 02:06, 23 January 2014

2014-01-23T02:06:44Z

ChrisWeber at 20:17, 15 January 2011

2011-01-15T20:17:19Z

ChrisWeber at 20:16, 15 January 2011

2011-01-15T20:16:09Z

ChrisWeber at 20:12, 15 January 2011

2011-01-15T20:12:39Z

ChrisWeber at 00:36, 7 December 2010

2010-12-07T00:36:03Z

ChrisWeber at 00:29, 7 December 2010

2010-12-07T00:29:13Z

ChrisWeber at 00:27, 7 December 2010

2010-12-07T00:27:43Z

ChrisWeber at 23:52, 6 December 2010

2010-12-06T23:52:51Z

@@ Line 4: / Line 4: @@
 ! width="500" align="center" | <br>
 |-
-| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/Category:OWASP_Project]]
+| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
 | align="right" |

@@ Line 1: / Line 1: @@
-[[Image:OWASP Inactive Banner.jpg|1155px]]
+{|
 ==== Main  ====
 Welcome to the OWASP page presenting [http://www.fiddler2.com Fiddler] addons for security testing.  This is home of the [[Projects/OWASP_Watcher_Project|Watcher]] and [[Projects/OWASP_X5s_Project|x5s]] security testing tools built as extensions for the [http://www.fiddler2.com Fiddler] HTTP proxy.  A quick overview:

← Older revision		Revision as of 02:06, 23 January 2014
Line 1:		Line 1:
		+	[[Image:OWASP Inactive Banner.jpg\|1155px]]
	==== Main ====		==== Main ====
	Welcome to the OWASP page presenting [http://www.fiddler2.com Fiddler] addons for security testing. This is home of the [[Projects/OWASP_Watcher_Project\|Watcher]] and [[Projects/OWASP_X5s_Project\|x5s]] security testing tools built as extensions for the [http://www.fiddler2.com Fiddler] HTTP proxy. A quick overview:		Welcome to the OWASP page presenting [http://www.fiddler2.com Fiddler] addons for security testing. This is home of the [[Projects/OWASP_Watcher_Project\|Watcher]] and [[Projects/OWASP_X5s_Project\|x5s]] security testing tools built as extensions for the [http://www.fiddler2.com Fiddler] HTTP proxy. A quick overview:

@@ Line 14: / Line 14: @@
 [[Image:WatcherResults.png|thumb|300px|right|Watcher results screen]]
-Visit the [http://websecuritytool.codeplex.com/ Watcher project page on CodePlex]
+'''''Visit the [http://websecuritytool.codeplex.com/ Watcher project page on CodePlex]'''''
 Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.
@@ Line 114: / Line 114: @@
 [[Image:X5s-tutorial.png|thumb|300px|right|x5s tutorial]]
-Visit the [http://xss.codeplex.com/ x5s project page on CodePlex]
+'''''Visit the [http://xss.codeplex.com/ x5s project page on CodePlex]'''''
 X5s can help you find encoding issues that lead to XSS (cross-site scripting) attacks. It auto-injects test probes into every parameter of an HTTP request and analyzes responses to find where probes were not safely encoded.

@@ Line 13: / Line 13: @@
 [[Image:watcher-checks.png|thumb|300px|right|Watcher check configuration screen]]
 [[Image:WatcherResults.png|thumb|300px|right|Watcher results screen]]
 Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.
@@ Line 111: / Line 113: @@
 [[Image:X5s-results-screen.png|thumb|300px|right|x5s results screen]]
 [[Image:X5s-tutorial.png|thumb|300px|right|x5s tutorial]]
 X5s can help you find encoding issues that lead to XSS (cross-site scripting) attacks. It auto-injects test probes into every parameter of an HTTP request and analyzes responses to find where probes were not safely encoded.

← Older revision		Revision as of 00:36, 7 December 2010
Line 106:		Line 106:
	## A user-controlled open redirect was identified		## A user-controlled open redirect was identified

		+	== x5s ==
		+	[[Image:x5s-config-screen.png‎\|thumb\|300px\|right\|x5s configuration screen]]
		+	[[Image:X5s-char-screen.png‎\|thumb\|300px\|right\|x5s character configuration screen]]
		+	[[Image:X5s-results-screen.png\|thumb\|300px\|right\|x5s results screen]]
		+	[[Image:X5s-tutorial.png\|thumb\|300px\|right\|x5s tutorial]]
		+	X5s can help you find encoding issues that lead to XSS (cross-site scripting) attacks.

	==== FAST - Project About ====		==== FAST - Project About ====

@@ Line 16: / Line 16: @@
 Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.
-[http://websecuritytool.codeplex.com/wikipage?title=Checks Descriptions of the security checks]
+* [http://websecuritytool.codeplex.com/wikipage?title=Checks Descriptions of the security checks]
+* [http://websecuritytool.codeplex.com/documentation?referringTitle=Home Detailed Documentation]
-[http://websecuritytool.codeplex.com/documentation?referringTitle=Home Detailed Documentation]
+* [http://websecuritytool.codeplex.com/releases/view/22212 Download link]
 The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. Some reasons to use Watcher include:

@@ Line 10: / Line 10: @@
 == Watcher ==
 Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.
@@ Line 27: / Line 31: @@
 If you’re building web-applications you already have a development and test staff. Fiddler has been valuable to dev and test for years as a general-purpose HTTP debugging proxy. Watcher fits seamlessly into the picture, providing valuable security insight with no special training requirements, dedicated machines, or other resources.
-=== Watcher screenshots ===
+=== User Interface ===
 The main configuration screen for Watcher makes it as simple as clicking the 'enable' button.  Once you do that, all HTTP traffic starts getting observed and analyzed for security issues.  You can also narrow Watcher's scope by specifying an ***origin*** domain that will be the focus of analysis, all others being ignored.  Custom Watcher configurations can also be saved so you don't need to re-enter the same information each time you launch the tool.
-[[Image:watcher-config.png|500px]]
+To get more granular, the checks configuration screen allows you enable and disable individual checks.  Some checks even come with their own configurations such as noise reduction or string analysis.
-To get more granular, the checks configuration screen allows you enable and disable individual checks.  Some checks even come with their own configurations such as noise reduction or string analysis.
+Or simply browse the source code at: [http://websecuritytool.codeplex.com/SourceControl/BrowseLatest http://websecuritytool.codeplex.com/SourceControl/BrowseLatest]
-[[Image:watcher-checks.png|500px]]
+Watcher itself can be easily extended to include new checks.
-The most interesting screen will probably be the results screen, where each finding is displayed.  From here you can remove findings, filter by severity, and export to XML, HTML, or TFS.
+=== Extensibility ===
-[[Image:WatcherResults.png|500px]]
+=== List of Security Checks ===

@@ Line 6: / Line 6: @@
 * [http://www.fiddler2.com Fiddler] is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more
 The [http://www.fiddler2.com Fiddler] HTTP debugging proxy has a long history with a wide user base and was chosen as the platform for building security testing tools found on this page.  By leveraging [http://www.fiddler2.com Fiddler] we can focus our efforts on the security testing logic and let the proxy do its job.
 ==== FAST - Project About ====