Casaba Security » Watcher

Porting Watcher checks to ModSecurity rules!

admin — Tue, 10 Jan 2012 23:55:49 +0000

Earlier this year, Ryan Barnett at TrustWave’s Spiderlabs started porting some of Watcher’s checks to ModSecurity. After we chatted about this, I decided to get involved. We always liked the idea of a server-side scanner watching the Web traffic, and since ModSecurity sits right in the sweet spot it all made sense to focus some effort there.

So over the past few months we’ve been working to port more of Watcher’s passive Web scanning checks to theModSecurity open source Web Application Firewall. It seems to be working out, as some of the rules have made it into the latest release of ModSecurity’s Core Rule Set v2.2.3 as well as some earlier rule sets. There’s more to come. Please send any feedback to me or Ryan, and look for more rules to be added very soon.

Watcher 1.4.0 released

Chris Weber — Tue, 25 May 2010 19:32:01 +0000

A new update to the Watcher passive Web-vulnerability scanner has been released. Based on user feedback we’ve built out the Wiki documentation on Codeplex with more details about the issues identified by each Watcher check. Inside the tool, a reference is now included as a link back to the Wiki. I hope to improve the documentation on the Wiki and welcome all your suggestions.

A new check has been added to detect when domain lowering occurs through javascript, typically done by setting document.domain equal to the parent domain. We’ve also made some more efforts at noise-reduction, by enabling some of the noise-reduction configurations by default, namely in the cookie and VIEWSTATE checks.

Watcher 1.3.0 released

Chris Weber — Thu, 25 Feb 2010 17:40:59 +0000

A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review. Among other things, we’ve added new checks to identify the insecure ViewState issues as recently reported by Trustwave’s SpiderLabs [1].

Download Watcher from CodePlex. A short list of new features and improvements includes:

A separate, optional component to export results to Team Foundation Server.
New check to identify insecure ASP.NET VIEWSTATE configurations subject to tampering and pervasive XSS attacks.
New check to identify insecure JavaServer MyFaces ViewState subject to tampering and XSS attacks.
New check for Silverlight EnableHtmlAccess.
Export results to HTML report.
Compliance mappings to Microsoft SDL.
If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain analysis.
Assorted bug fixes and improvements.

Bryan Sullivan and Patrick Toomey’s ViewStateViewer plugin [2] provided inspiration for detecting ASP.NET VIEWSTATE MAC protection. When testing .NET 4.0 we discovered a change in the MAC implementation which has also been accounted for in this check. David Byrne from Trustwave [1] provided most of the methodology ideas for detecting insecure JavaServer MyFaces ViewState.

In addition to the main developers (Robert Mooney and Samuel Bucholtz), we wanted to thank everyone who helped or provided suggestions for this release:

Hidetake Jo
Bryan Sullivan
David Byrne
Jason D. Montgomery
Dave Wichers

[1] Trustwave advisory https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
[2] ViewStateViewer plugin for Fiddler http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/

New improved Watcher version 1.2.2 released

Samuel Bucholtz — Wed, 26 Aug 2009 00:23:02 +0000

A new point version of Watcher, Casaba's open source, passive, web security analyzer has been released on Codeplex. New in this version is multi-threaded check engine, support for OWASP's Application Security Verification Standard, and a number of new security checks.

For more information checkout: http://websecuritytool.codeplex.com/

Microsoft SDL blog post about Watcher

Chris Weber — Sat, 18 Apr 2009 20:22:37 +0000

Microsoft mentioned Watcher's usefulness in Web-security testing and SDL requirements verification . We're working to make this tool better so please share your success stories, bugs or false positives with us.

Watcher v1.1.0 released

Chris Weber — Sun, 12 Apr 2009 16:44:02 +0000

We've made some significant improvements to the Watcher web security and compliance auditing tool in version 1.1.0. Some new checks have been added, bug fixes, and performance improvements.

I wanted to point out that Watcher helps not only in testing and auditing Web applications, but it has checks to assess the security strength of the operational configurations as well, such as the SSL version being used. We've also added a check for SharePoint related assessment, and are working to add more Sharepoing security tests in the next version.

Eric Lawrence introduces Watcher tool at MIX09 Conference

Chris Weber — Sat, 21 Mar 2009 05:23:42 +0000

I'm happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence announced our Watcher tool at MIX09 today. Check out his talk at http://videos.visitmix.com/MIX09/T54F it's an eye opener for Web developers – introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today's Web applications.

Unfortunately CodePlex went down today, even with Microsoft's new release of !exploitable at CanSecWest. Anyhow we're working hard to to add new checks to Watcher and reduce false positives in existing ones. So please grab Watcher from Codeplex and send us any feedback you want.

Watcher security tool for web applications

Chris Weber — Thu, 12 Mar 2009 04:06:15 +0000

Watcher is being released under an Open Source license. With over 30 checks in its first release, it helps you find issues in your web-apps fast and effortlessly. Watcher is a Fiddler plugin that passively audits a web application for a variety of security issues. It acts as an assistant to the developer, tester, or pen-tester, by quickly identifying issues that commonly lead to security problems in web apps. Integrate it into your test passes to achieve more coverage of security testing goals.

Go get Watcher.