OWASP Fiddler Addons for Security Testing Project

Main

Welcome to the OWASP page presenting Fiddler addons for security testing. This is home of the Watcher and x5s security testing tools built as extensions for the Fiddler HTTP proxy. A quick overview:

• Watcher is a passive vulnerability scanner for Web applications
• x5s is an active cross-site scripting testing tool for Web applications
• Fiddler is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more

Fiddler HTTP Proxy

The Fiddler HTTP debugging proxy has a long history with a wide user base and was chosen as the platform for building security testing tools found on this page. By leveraging Fiddler we can focus our efforts on the security testing logic and let the proxy do its job.

Watcher

Watcher configuration screen

Watcher check configuration screen

Watcher results screen

Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.

Descriptions of the security checks

Detailed Documentation

Download link

The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. Some reasons to use Watcher include:

• Safe for the Cloud and hosting environments

Being passive gives Watcher several advantages - when applications live in the Cloud there's often a risk that running security testing could damage the shared infrastructure. However, using a passive tool like Watcher ensures that there's no chance of damaging Cloud-like infrastructure.

• Safe for production environments

Watcher does not attack web-applications with loads of intrusive requests, it doesn't modify inputs to your application. Unlike crawlers and web-application scanners, Watcher does not generate dangerous traffic. It quietly analyzes normal user-interaction and makes educated reports on the security of an application.

• Low overhead, no training

If you’re building web-applications you already have a development and test staff. Fiddler has been valuable to dev and test for years as a general-purpose HTTP debugging proxy. Watcher fits seamlessly into the picture, providing valuable security insight with no special training requirements, dedicated machines, or other resources.

User Interface

The main configuration screen for Watcher makes it as simple as clicking the 'enable' button. Once you do that, all HTTP traffic starts getting observed and analyzed for security issues. You can also narrow Watcher's scope by specifying an ***origin*** domain that will be the focus of analysis, all others being ignored. Custom Watcher configurations can also be saved so you don't need to re-enter the same information each time you launch the tool.

To get more granular, the checks configuration screen allows you enable and disable individual checks. Some checks even come with their own configurations such as noise reduction or string analysis.

The most interesting screen will probably be the results screen, where each finding is displayed. From here you can remove findings, filter by severity, and export to XML, HTML, or TFS.

Source Code

Watcher has been written in C# for .NET. The source code is hosted by CodePlex in a Mercurial repository which can be cloned at:

Mercurial repo: https://hg01.codeplex.com/websecuritytool

Or simply browse the source code at: http://websecuritytool.codeplex.com/SourceControl/BrowseLatest

Watcher itself can be easily extended to include new checks.

Extensibility

Watcher was built to be easily extended with new checks. You should be able to easily add custom checks and have them included in all of Watcher's functionality. A good way to get started is to browse the code looking at the Watcher Check Library, and picking one of the simpler checks to use as a template. That will show you the basic structure of what's required. I should really write a tutorial about this... added to the roadmap.

List of Security Checks

The following is a list of security checks for Watcher 1.5 as of December 6, 2010. Details are available over at Watcher's Codeplex page.

1. ASP.NET checks
   1. Insecure VIEWSTATE tampering possibility
2. Charset checks
   1. Charset declaration was not UTF-8
   2. A Charset mismatch was identified
3. Cookie checks
   1. Loosely scoped cookie was identified
   2. Cookie's secure flag was not set
   3. Cookie's HttpOnly flag was not set
4. Cross-Domain checks
   1. Cross-domain CSS resource
   2. Cross-domain JavaScript src reference
   3. Cross-domain JavaScript DOM reference
   4. Cross-domain Form action
5. Flash checks
   1. Flash allows JavaScript access
   2. Flash Crossdomain.xml file contains insecure domain references
6. HTTP Header checks
   1. Cache-Control not set to 'no-store'
   2. Content-Type declaration missing
   3. X-XSS-PROTECTION disables Internet Explorer protection
   4. X-XFRAMES-OPTIONS not set to prevent click-jacking
   5. X-CONTENT-TYPE-OPTIONS not set to prevent MIME-type sniffing
   6. Weak authentication
7. Information Disclosure checks
   1. Information disclosure in error messages
   2. Information disclosure in database error messages
   3. Information disclosure in comments
   4. Information disclosure in HTTP referrer
   5. Information disclosure in URL parameters
8. Java checks
   1. Java Server MyFaces vulnerable to VIEWSTATE tampering
9. Javascript checks
   1. Use of javascript eval methods
   2. Use of javascript domain lowering techniques
10. Sharepoint checks
    1. Sharepoint insecure document library
11. Silverlight checks
    1. Silverlight clientaccesspolicy.xml/crossdomain.xml contains insecure domain references
    2. Silverlight settings allow javascript access
12. SSL checks
    1. Insecure transition from HTTP to HTTPS
    2. Insecure transition from HTTPS to HTTP
    3. SSL certificates failed validation
    4. Legacy SSL v2 protocol was accepted by server
13. Unicode checks
    1. Ill-formed UTF-8 byte sequence was identified
14. User-Controlled Input checks
    1. A user-controlled charset declaration was identified
    2. A potential cookie-poisoning vulnerability was found
    3. A potential XSS vulnerability was found
    4. A likely XSS vulnerability was found in a user-controlled page event
    5. A potential XSS vulnerability was found through a user-controlled javascript reference
    6. A user-controlled open redirect was identified

FAST - Project About

• The OWASP Fiddler Addons for Security Testing Project (aka OWASP FAST) is the umbrella for two complementary projects:
  • Watcher Project - a passive vulnerability scanner,
  • X5s Project - an active XSS testing and input/output encoding detection.

Watcher - Project About

PROJECT INFO What does this OWASP project offer you?

RELEASE(S) INFO What releases are available for this project?

what is this project? Name: OWASP Watcher Project (home page) Purpose: Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won't damage production systems, it's completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more. Major Features: Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer); Works seamlessly with complex Web 2.0 applications while you drive the Web browser; Non-intrusive, will not raise alarms or damage production sites; Real-time analysis and reporting - findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS); Configurable domains with wildcard support; Extensible framework for adding new checks. License: New BSD who is working on this project? Project Leader(s): Chris Weber @ how can you learn more? Project Pamphlet: Not Yet Created Project Presentation: Mailing list: Mailing List Archives Project Roadmap: View Main links: Descriptions of the security checks Detailed Documentation Download link Key Contacts Contact Chris Weber @ to contribute to this project Contact Chris Weber @ to review or sponsor this project

current release Watcher v1.5.0 - Nov 17 2010 - (download) Release description: Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. Rating: Not Reviewed - Assessment Details last reviewed release Not Yet Reviewed other releases Watcher v1.5.0

X5s - Project About

PROJECT INFO What does this OWASP project offer you?

RELEASE(S) INFO What releases are available for this project?

what is this project? Name: OWASP X5s Project (home page) Purpose: Active XSS testing and input/output encoding detection x5s is a Fiddleraddon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. This is not a point and shoot tool, it requires some understanding of how encoding issues lead to XSS, and it requires manual driving. It's main goal is to help you identify the hotspots where XSS might occur by: Detecting where safe encodings were not applied to emitted user-inputs Detecting where Unicode character transformations might bypass security filters Detecting where non-shortest UTF-8 encodings might bypass security filters License: New BSD who is working on this project? Project Leader(s): Chris Weber @ how can you learn more? Project Pamphlet: Not Yet Created Project Presentation: Mailing list: Mailing List Archives Project Roadmap: Not Yet Created Main links: Quickstart Tutorial Detailed Documentation Download link Key Contacts Contact Chris Weber @ to contribute to this project Contact Chris Weber @ to review or sponsor this project

current release x5s v1.0.1 - 06/05/2010 - (download) Release description: x5s was first and foremost designed to find encoding and character transformation issues that can lead to XSS vulnerability, and present them in a visual way where they could be reviewed with a quickness. Many tools exist for testing Web-applications to find cross-site scripting bugs. There are browser plugins, Web-scanners, and static code analyzers. We use whatever suits us in a given situation and produces the output we're interested in receiving. We developed x5s for penetration testers and other security-minded persons who already know how to find and exploit an XSS vulnerability. The tool has a slightly different bent than other tools we've used. It's main goals include: Automate finding the encoding issues that can lead to XSS. Identify where character transformations occur by injecting multibyte characters such as higher Unicode code points and non-shortest form character encodings. Rating: Not Reviewed - Assessment Details last reviewed release Not Yet Reviewed other releases x5s v1.0.1