Published on 2012-12-27 by John Collins. Please follow me on Twitter for more:
According to the Ratproxy website, Ratproxy is:
"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."
Written by Michal Zalewski, who is the author of Silence on the Wire, Ratproxy is a very useful tool for carrying out a passive (non-intrusive) audit of a web application, to detect any common issues that Ratproxy can test for and bring to your attention via a report.
As Ratproxy is a proxy server, it sits between your web browser and the server you are testing like so:
All HTTP requests and responses between you and the web server are logged and analysed by Ratproxy.
In this tutorial, I will show you how to install and run Ratproxy, then configure Firefox to use Ratproxy as a proxy server to connect to the Internet. To keep things simple however, the web application we are testing is actually running on localhost.
As I am a Fedora user, these notes are for Fedora 17 but should work equally well for other Redhat-based Linux distributions. The latest version of Ratproxy is 1.58, which is already available in the Fedora 17 repository:
$ yum list ratproxy Loaded plugins: langpacks, presto, refresh-packagekit Available Packages ratproxy.x86_64 1.58-4.fc17 fedora
So go ahead and install from there:
$ yum install ratproxy
The following command will start Ratproxy and get it to look for high-probability issues only, which is a good place to start:
$ ratproxy -v Security/ratproxy/ -w Security/ratproxy/ratproxy.log -d localhost -lfscm ratproxy version 1.56-beta by
[*] Proxy configured successfully. Have fun, and please do not be evil. [+] Accepting connections on port 8080/tcp (local only)...
The -v flag tells Ratproxy where to store machine-readable output files, while the -w flag indicates the location of the main log file to generate. The -d flag indicates the web domain that we are conducting the audit on, in this case localhost.
See the project wiki for more options: RatproxyDoc
Now in Firefox, select from the menu Edit - Preferences - Advanced - Network, and beside Connection choose Settings....
Now choose the Manual proxy configuration radio, and enter in the following:
Make sure No Proxy for does not contain localhost. Now visit the site you want to test and execute your test cases as usual (Ratproxy will be logging at this point).
Once you are finished testing the web application, kill Ratproxy with Ctry-C. Now generate a HTML report from the log:
$ ratproxy-report Security/ratproxy/ratproxy.log > Security/ratproxy/report.html
And here is the report when viewed in a browser:
At this point you will need to investigate and take action on each item in the report.