Posts Tagged ‘Watcher’

Watcher overview translated into Serbo-Croatian

January 28th, 2013 by

The introduction page for Watcher has been translated into the Serbo-Croatian language by Jovana Milutinovich, a computer science student at the University of Belgrade in Serbia. Her translation can be found at the following URL:

Thank you Jovana!

New Watcher rule for custom-defined pattern matching

January 21st, 2013 by

The passive Web-application vulnerability scanner Watcher has been updated with a new check that allows you to define a custom pattern in the form of a regular expression. Each incoming HTML, javascript, or JSON response will be checked for a match.

To see this, download Watcher, go to the Checks tab, and select “Miscellaneous – Check HTTP response body for custom-defined regex patterns.”


From here, you can add as many regex patterns as you’d like. Each one will be check, and if matches are found they will be reported in bulk per response. For example, if you wanted to extract all things that look like email addresses, you could add this rule:


On the results tab of Watcher, you’ll find your matches:

Watcher-regex result

That’s about it, pretty simple, but bear a few warnings:

  1. Watcher will not validate your regex, that’s up to you to make sure it works with C# syntax!
  2. Bad regex patterns could cause Fiddler to stop functioning, for example if they consume too many CPU or memory resources.

Happy bug hunting!

Porting Watcher checks to ModSecurity rules!

January 10th, 2012 by

Earlier this year, Ryan Barnett at TrustWave’s Spiderlabs started porting some of Watcher’s checks to ModSecurity.   After we chatted about this, I decided to get involved.  We always liked the idea of a server-side scanner watching the Web traffic, and since ModSecurity sits right in the sweet spot it all made sense to focus some effort there.

So over the past few months we’ve been working to port more of Watcher’s passive Web scanning checks to theModSecurity open source Web Application Firewall.  It seems to be working out, as some of the rules have made it into the latest release of ModSecurity’s Core Rule Set v2.2.3 as well as some earlier rule sets.  There’s more to come.  Please send any feedback to me or Ryan, and look for more rules to be added very soon.

Watcher 1.4.0 released

May 25th, 2010 by

A new update to the Watcher passive Web-vulnerability scanner has been released. Based on user feedback we’ve built out the Wiki documentation on Codeplex with more details about the issues identified by each Watcher check. Inside the tool, a reference is now included as a link back to the Wiki. I hope to improve the documentation on the Wiki and welcome all your suggestions.

A new check has been added to detect when domain lowering occurs through javascript, typically done by setting document.domain equal to the parent domain. We’ve also made some more efforts at noise-reduction, by enabling some of the noise-reduction configurations by default, namely in the cookie and VIEWSTATE checks.

Watcher 1.3.0 released

February 25th, 2010 by

A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review. Among other things, we’ve added new checks to identify the insecure ViewState issues as recently reported by Trustwave’s SpiderLabs [1].

Download Watcher from CodePlex. A short list of new features and improvements includes:

  • A separate, optional component to export results to Team Foundation Server.
  • New check to identify insecure ASP.NET VIEWSTATE configurations subject to tampering and pervasive XSS attacks.
  • New check to identify insecure JavaServer MyFaces ViewState subject to tampering and XSS attacks.
  • New check for Silverlight EnableHtmlAccess.
  • Export results to HTML report.
  • Compliance mappings to Microsoft SDL.
  • If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain analysis.
  • Assorted bug fixes and improvements.

Bryan Sullivan and Patrick Toomey’s ViewStateViewer plugin [2] provided inspiration for detecting ASP.NET VIEWSTATE MAC protection. When testing .NET 4.0 we discovered a change in the MAC implementation which has also been accounted for in this check. David Byrne from Trustwave [1] provided most of the methodology ideas for detecting insecure JavaServer MyFaces ViewState.

In addition to the main developers (Robert Mooney and Samuel Bucholtz), we wanted to thank everyone who helped or provided suggestions for this release:

Hidetake Jo
Bryan Sullivan
David Byrne
Jason D. Montgomery
Dave Wichers

[1] Trustwave advisory
[2] ViewStateViewer plugin for Fiddler

New improved Watcher version 1.2.2 released

August 26th, 2009 by

A new point version of Watcher, Casaba's open source, passive, web security analyzer has been released on Codeplex. New in this version is multi-threaded check engine, support for OWASP's Application Security Verification Standard, and a number of new security checks.

For more information checkout:

Microsoft SDL blog post about Watcher

April 18th, 2009 by

Microsoft mentioned Watcher's usefulness in Web-security testing and SDL requirements verification. We're working to make this tool better so please share your success stories, bugs or false positives with us.

Watcher v1.1.0 released

April 12th, 2009 by

We've made some significant improvements to the Watcher web security and compliance auditing tool in version 1.1.0. Some new checks have been added, bug fixes, and performance improvements.

I wanted to point out that Watcher helps not only in testing and auditing Web applications, but it has checks to assess the security strength of the operational configurations as well, such as the SSL version being used. We've also added a check for SharePoint related assessment, and are working to add more Sharepoing security tests in the next version.

Eric Lawrence introduces Watcher tool at MIX09 Conference

March 21st, 2009 by

I'm happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence announced our Watcher tool at MIX09 today. Check out his talk at it's an eye opener for Web developers – introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today's Web applications.

Unfortunately CodePlex went down today, even with Microsoft's new release of !exploitable at CanSecWest. Anyhow we're working hard to to add new checks to Watcher and reduce false positives in existing ones. So please grab Watcher from Codeplex and send us any feedback you want.

Watcher security tool for web applications

March 12th, 2009 by

Watcher is being released under an Open Source license. With over 30 checks in its first release, it helps you find issues in your web-apps fast and effortlessly. Watcher is a Fiddler plugin that passively audits a web application for a variety of security issues. It acts as an assistant to the developer, tester, or pen-tester, by quickly identifying issues that commonly lead to security problems in web apps. Integrate it into your test passes to achieve more coverage of security testing goals.

Go get Watcher.