[Bryan here. We have a guest blogger this week: Chris Weber of Casaba Security will be talking about his company’s new free web application security auditing tool, Watcher. We on the SDL team are pretty excited about it, especially because it verifies several SDL requirements and recommendations that we previously had no automated tool support for. We’re also looking at the possibility of incorporating Watcher as a new SDL recommendation in a future version of the SDL.]
Hi everyone, this is Chris Weber of Casaba Security writing a guest blog post to tell you about our new Watcher tool for web-app security auditing and testing. Watcher is a plug-in for Eric Lawrence’s Fiddler proxy aimed at helping developers and testers find security issues in their web-apps fast and effortlessly. Because it works passively at runtime, you have to drive it by opening a browser and cruising through your web-app as an end user. For the developer, the tool can provide a quick sanity check, so you can find problems and hot-spots that warrant further attention. In the hands of a pen-tester it can assist in finding issues that lead to other attacks like XSS and CSRF.
So what does it find? In its first public release we shipped with more than 35 checks. Some of these checks provide coverage for Microsoft SDL requirements and OWASP recommendations. Some are informational and some identify hot-spots that might lead to vulnerabilities such as XSS. It aims to find issues that are obvious but sometimes hidden or overlooked. For example, Moxie Marlinspike recently talked at Black Hat and mentioned the insecurity of hosting an HTTP/S form inside of an insecure HTTP landing page. While there may not be visual indicators for this pattern in the browser, Watcher includes a check to report on it. Watcher looks for issues related to cross-domain mashups, user-controlled HTML (potential XSS), open redirects, insecure handling of cookies, Unicode, and other sources of vulnerability such as:
· User-controllable cross-domain references
· Potential XSS with user-controllable HTML attribute values such as href, form action, etc.
· Cross-domain form POSTs
· Cookies that don’t set the ‘HTTPOnly’ flag
· Cookies set over SSL that don’t include the ‘secure’ flag
· Loosely-scoped cookies
· Open redirects which can be abused by spammers and phishers
· Insecure Flash object parameters useful for cross-site scripting
· Insecure Flash crossdomain.xml
· Insecure Silverlight clientaccesspolicy.xml
· Charset declarations which could introduce vulnerability (non-UTF-8)
· User-controllable charset declarations
· Charset mismatches between HTTP and HTML
· Dangerous context-switching between HTTP and HTTPS
· HTTP pages insecurely loading HTTPS forms
· Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
· Potential HTTP referer leaks of sensitive user-information
· Information disclosure from URL parameters
· Source code comments worth a closer look
· Insecure authentication protocols like Digest and Basic
· SSL certificate validation errors
· SSL insecure protocol issues (allowing SSL v2)
· Unicode ill-formed UTF-8 byte sequences
· SharePoint servers with insecure configurations
This tool is planned for release under an Open Source license, and is designed for extensibility so that new checks can be added either in the main source or as individual assemblies. I’m hoping that some people may want to get involved in adding new checks and improving existing ones.
Setup is simple – install and run Fiddler, then launch the Watcher setup installer, or manually drop the Watcher DLL’s in Fiddler’s ‘scripts’ folder. Inside Fiddler, click Watcher’s “Security Auditor” tab and click ‘enable’. At this point the findings will start showing for any domain. To narrow things down, you’ll want to configure Watcher with the domain name you’re concerned about, and add any trusted domains you want to include. By narrowing things down, you’ll actually enable another set of important checks – the cross-domain checks. Domain names support wildcards like *.contoso.com, and even simple regex patterns so you could just type in ‘contoso. For reporting, Watcher writes out to a list view table, including severity levels and a link back to the detailed request/response in Fiddler. The findings can be sorted, filtered, and exported to XML. A screenshot of the reporting interface is below.
You can download the Watcher binaries and sources, access bug tracking, forums, and documentation at http://websecuritytool.codeplex.com/. Be sure to first download the Fiddler tool from http://www.fiddlertool.com/.
I hope some of you can find it as useful as we have – please drop a message on the CodePlex forums, or send an email to me with questions, ideas for new checks, or feedback. Happy bug hunting!