The Showdown
Pressing Ctrl+C terminates the Ratproxy test. The results of the analysis land in the slightly cryptic ratproxy.log file, which is designed for easy machine readability and for cooperation with grep (Figure 3). Until new tools appear, you can use the ratproxy-report.sh script to generate a more intuitive HTML report:
./ratproxy-report.sh ratproxy.log > report.html
|
|
Figure 3: Ratproxy's logfile is not exactly intuitive.
|
The report looks like that in Figure 4: The list presents the problems identified by Ratproxy, sorted by type and importance. Critical security risks are highlighted with a neon red HIGH. Toggle shows or hides the messages in a specific section, and view trace opens the trace (i.e., the sniffed communications) from the tmp directory.
|
|
Figure 4: Ratproxy provides a report with results of the testing.
|
At this point, the user is left to interpret the results. To do so, you need expert knowledge of both computer security and forensics and details of the application you are testing. After all, it makes little sense for Ratproxy to warn you about a potential cross-site scripting risk if you are unable to close the gap. In other cases, Ratproxy lists generic issues that do not necessarily represent a security risk.
Conclusions
Because Ratproxy works entirely autonomously, you cannot inject your own test data into the web application to confirm your suspicions. Ratproxy can only report on the vulnerabilities it detects in the parts of the web application it actually investigates. (See the box titled "What the Rat Catcher Reveals.") The developers are aware that their product is not perfect, and they ask for suggestions, improvements, and details of any security issues Ratproxy fails to identify.
What the Rat Catcher Reveals
Ratproxy checks the dialog for the following:
- standards compliance, such as the correct use of MIME types (e.g., has a GIF image been served up as image/jpeg?)
- insecure responses, particularly with JSON and similar data formats
- cross-site scripting (XSS) attack vectors
- cross-site request forgery (XSRF) attack vectors; Ratproxy focuses in particular on embedded security tokens and predictable URLs
- data injection vectors, such as SQL injection
- risky JavaScript, OGNL and Java constructions
- incorrect use of cookies
- suspicious Flash objects
- directory traversal vectors
- incorrect use of caching
- suspicious redirects
The messages.list file supplied with the source code archive gives you details of the problems Ratproxy logs.
Remember that Ratproxy is still beta. Don't be surprised to see some false positives, and don't rely on Ratproxy to the exclusion of all other tools. If you are willing to work around the quirks, Ratproxy it is still a useful addition to your security testing toolbox.
Ratproxy is still far from being a panacea. It does not give you a full list of unresolved vulnerabilities, nor does it help you resolve the issues it detects. Interpreting the results requires expert knowledge of web security.
What Ratproxy does do is reliably point you in the direction of potential issues, vulnerabilities, and poor code. If Google continues to refine its tool and can attract third-party vendors to dock at Ratproxy's open interfaces, Ratproxy could develop into a test jewel for web applications.
Comments