Playing With Ratproxy - Passive Web Application Security Assessment Tool

I know many of you may be knowing about this google tool. I am little late to play with this. But just posting if someone still missing to checkout . If you was following me on twitter you may have seen my tweet some days back. Even though I thought of writing a blogpost I was too lazy and some what busy :) . But today I thought of playing with it . Hope you too will enjoy looking the security issues for your website . This is a great tool to check. Its from Michal Zalewski of Google which has been licenced under the Apache Licence agreement . What is ratproxy ? So you may have heard about proxy servers .. But this is not a proxy server to by pass any of the social networking websites :) . This a great tool for webdevelopers , web owners or even clients who want to test their website before payment is made. So let me copy the defnition of what ratproxy is “Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. The approach taken with ratproxy offers several important advantages over more traditional methods: – No risk of disruptions.Low effort, high yield.Preserved control flow of human interaction.  – WYSIWYG data on script behavior.  – Easy process integration. ” Ratproxy is developed from C , ya was my favourite language at college though I am not so powerful in it :) . I remebered compilling C programs from Linux terminals when I was at college . You may run with errors when compiling it with make command .  Something like the below . hari@hari-laptop:/var/www/ratproxy$ make cc ratproxy.c -o ratproxy  -Wall -O3 -Wno-pointer-sign -D_GNU_SOURCE http.c mime.c ssl.c -lcrypto -lssl ratproxy.c:43:25: error: openssl/md5.h: No such file or directory ratproxy.c: In function ‘decode_flash’: ratproxy.c:615: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result “ Just install libssl-dev package using synaptic or apt-get . Compile it once again and yes I hope you have done without errors . Download the Quick Proxy addon for the Mozilla firefox , so you can easily switch from proxy to the other . You need to configure the proxy server . Edit - > Preferences –> Advanced-> Network tab –> Settings –> Mannual proxy and add it . Now just close and start your Mozilla Firefox once again . Run from the terminal hari@hari-laptop:/var/www/ratproxy$ ./ratproxy -v dumps -w mysite.log -d -XClfscm ratproxy version 1.58-beta by <> [*] Proxy configured successfully. Have fun, and please do not be evil.     WARNING: Disruptive tests enabled. use with care. [+] Accepting connections on port 8080/tcp (local only)… Browse the upload , download and do what ever things you love. Don’t forget to pass javascript , some unwanted test queries etc . Try SQL injections also . You will be getting detailed report . You can see how much your server is vulnerable . It may be more than this :) . Report can be made by running hari@hari-laptop:/var/www/ratproxy$ ./ mysite.log > report.html Please don’t use this tool for EVIL . Do it for good to make a wonderful web tomorrow . I love good techniques and good people . If you are trying to crack I may call you a F*cker . Hope you enjoyed the new tool to fix the issues . You can get more information from This is also a wonderful tutorial . Don’t forget to check it out . Updated : After playing with ratproxy , I came across other solutions too . Many of them are open-source and the list is