Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

After Shortinfosec compiled the Ratproxy tool for Windows, we got e-mails with complaints that the it is still unclear how to use this tool. Therefore, Shortinfosec is following up with a tutorial on using Ratproxy.
NOTE: Shortinfosec will present a demo analysis and report, but will not delve into actual compromise of the concluded vulnerabilities

A hacker that attacks a web site will analyze the entire structure of the site, and use his experience and external tools to identify the points where he will be able to compromise the site. Ratproxy is emulating this operation by functioning as a web proxy for the users browsing. This way, ratproxy is able to intercept and analyze the entire communication and content of the analyzed site.

The difference between a hacker and ratproxy is that ratproxy will identify potential vulnrabilities but will not compromise, just report them.

Ratproxy program with or without potentially disruptive tests. The difference is in the X (disruptive) or x (non-disruptive) switch. Here is a command activating ratproxy with disruptive functionality:
ratproxy -v ratproxy -w report.log -d domain.com -leXtifscg


After that, the folder in which ratproxy is run from will contain a file called report.log. To make it human-readable, you should run it through a parser, downloadable from
http://code.google.com/p/ratproxy/source/browse/trunk/ratproxy-report.sh?r=9

You should run it from a cygwin shell. Make sure that it's a UNIX formatted file (LF/CR), otherwise the shell will report errors.

The parser should be run with the following command
$ ~/ratproxy-report.sh report.log > report.html

When the ratproxy.log file is parsed, it will create a html file. Below is a screenshot of the report


The report will organize concluded information by type of possible error encountered and then by criticality of specific issue which is identified.
Shortinfosec has created a sample report from scanning a localhost Apache 2.0 server with a CMS Made Simple site. You can download the sample report here.

Obviously, there are other products which perform the same function like WebScarab, Paros, Burp, and ProxMon, so what is the benefit of ratproxy?
According to ratproxy doc,

it is designed specifically to deliver concise reports that focus on prioritized issues and to do this in a hands-off, repeatable manner. It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.

Related posts
Ratproxy - Google Web Security Assessment Tool
Google's Ratproxy Web Security Tool for Windows

Talkback and comments are most welcome

2 comments:

Get Paid To said...

Nice, lot of stuff I didn't know

Bozidar Spirovski said...

Thanks, I try. Did you manage to run ratproxy, and what are your experiences?

Designed by Posicionamiento Web