|
|
| Line 1: |
Line 1: |
| | ==== Main ==== | | ==== Main ==== |
| − | Welcome to the OWASP page presenting [http://www.fiddler2.com Fiddler] addons we use for security testing. This is home of the [[Projects/OWASP_Watcher_Project|Watcher]] and [[Projects/OWASP_X5s_Project|x5s]] security testing tools! These tools have been built as addons for the [http://www.fiddler2.com Fiddler] HTTP proxy. A quick overview: | + | Welcome to the OWASP page presenting [http://www.fiddler2.com Fiddler] addons for security testing. This is home of the [[Projects/OWASP_Watcher_Project|Watcher]] and [[Projects/OWASP_X5s_Project|x5s]] security testing tools built as extensions for the [http://www.fiddler2.com Fiddler] HTTP proxy. A quick overview: |
| | | | |
| | * [[Projects/OWASP_Watcher_Project|Watcher]] is a passive vulnerability scanner for Web applications | | * [[Projects/OWASP_Watcher_Project|Watcher]] is a passive vulnerability scanner for Web applications |
| Line 6: |
Line 6: |
| | * [http://www.fiddler2.com Fiddler] is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more | | * [http://www.fiddler2.com Fiddler] is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more |
| | | | |
| − | The [http://www.fiddler2.com Fiddler] HTTP debugging proxy has a long history and a wide user base and was chosen as the platform for building security testing tools found on this page. By leveraging [http://www.fiddler2.com Fiddler] we can focus our efforts on the security testing logic and let the proxy do its job. | + | The [http://www.fiddler2.com Fiddler] HTTP debugging proxy has a long history with a wide user base and was chosen as the platform for building security testing tools found on this page. By leveraging [http://www.fiddler2.com Fiddler] we can focus our efforts on the security testing logic and let the proxy do its job. |
| | | | |
| | ==== FAST - Project About ==== | | ==== FAST - Project About ==== |
Revision as of 06:45, 6 December 2010
Main
Welcome to the OWASP page presenting Fiddler addons for security testing. This is home of the Watcher and x5s security testing tools built as extensions for the Fiddler HTTP proxy. A quick overview:
- Watcher is a passive vulnerability scanner for Web applications
- x5s is an active cross-site scripting testing tool for Web applications
- Fiddler is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more
The Fiddler HTTP debugging proxy has a long history with a wide user base and was chosen as the platform for building security testing tools found on this page. By leveraging Fiddler we can focus our efforts on the security testing logic and let the proxy do its job.
FAST - Project About
- The OWASP Fiddler Addons for Security Testing Project (aka OWASP FAST) is the umbrella for two complementary projects:
Watcher - Project About
PROJECT INFO
What does this OWASP project offer you?
|
RELEASE(S) INFO
What releases are available for this project?
|
| what
|
is this project?
|
| Name: OWASP Watcher Project (home page)
|
| Purpose: Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.
Major Features:
- Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer);
- Works seamlessly with complex Web 2.0 applications while you drive the Web browser;
- Non-intrusive, will not raise alarms or damage production sites;
- Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS);
- Configurable domains with wildcard support;
- Extensible framework for adding new checks.
|
| License: New BSD
|
| who
|
is working on this project?
|
| Project Leader(s):
|
| how
|
can you learn more?
|
| Project Pamphlet: Not Yet Created
|
| Project Presentation:
|
| Mailing list: Mailing List Archives
|
| Project Roadmap: View
|
| Main links:
|
| Key Contacts
|
|
|
|
|
| current release
|
|
|
| Watcher v1.5.0 - Nov 17 2010 - (download)
|
| Release description: Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging.
|
Rating:  Not Reviewed - Assessment Details
|
|
|
| last reviewed release
|
| Not Yet Reviewed
|
|
|
X5s - Project About
PROJECT INFO
What does this OWASP project offer you?
|
RELEASE(S) INFO
What releases are available for this project?
|
| what
|
is this project?
|
| Name: OWASP X5s Project (home page)
|
| Purpose: Active XSS testing and input/output encoding detection
x5s is a Fiddleraddon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving.
It's main goal is to help you identify the hotspots where XSS might occur by:
- Detecting where safe encodings were not applied to emitted user-inputs
- Detecting where Unicode character transformations might bypass security filters
- Detecting where non-shortest UTF-8 encodings might bypass security filters
|
| License: New BSD
|
| who
|
is working on this project?
|
| Project Leader(s):
|
| how
|
can you learn more?
|
| Project Pamphlet: Not Yet Created
|
| Project Presentation:
|
| Mailing list: Mailing List Archives
|
| Project Roadmap: Not Yet Created
|
| Main links:
|
| Key Contacts
|
|
|
|
|
| current release
|
|
|
| x5s v1.0.1 - 06/05/2010 - (download)
|
| Release description: x5s was first and foremost designed to find encoding and character transformation issues that can lead to XSS vulnerability, and present them in a visual way where they could be reviewed with a quickness. Many tools exist for testing Web-applications to find cross-site scripting bugs. There are browser plugins, Web-scanners, and static code analyzers. We use whatever suits us in a given situation and produces the output we're interested in receiving. We developed x5s for penetration testers and other security-minded persons who already know how to find and exploit an XSS vulnerability. The tool has a slightly different bent than other tools we've used.
It's main goals include:
- Automate finding the encoding issues that can lead to XSS.
- Identify where character transformations occur by injecting multibyte characters such as higher Unicode code points and non-shortest form character encodings.
|
| Rating: Not Reviewed - Assessment Details
|
|
|
| last reviewed release
|
| Not Yet Reviewed
|
|
|
