Using Proxies to Secure Applications and More

Josh — Fri, 31 Oct 2008 15:27:15 +0000

I've been really surprised that for as long as I've been active with OWASP, I've never seen a proxy presentation. After all, they are hugely beneficial in doing web application penetration testing and they're really not that difficult to use. Take TamperData for example. It's just a firefox plugin, but it does header, cookie, get, and post manipulation just as well as WebScarab. Or Google Ratproxy, which works in the background while you browse around QA'ing your web site and gives you a nice actionable report when you're done. I decided it was time to educate my peers on the awesomeness of proxies.

This past Tuesday I presented to a crowd of about 35 people at the Austin OWASP Meeting. The title of my presentation was "Using Proxies to Secure Applications and More". Since so many people came up to me afterward telling me what a great presentation it was and how they learned something they can take back to the office, I decided (with a little insistance from Ernest) that it was worth putting up on SlideShare and posting to the Web Admin Blog.

The presentation starts off with a brief description of what a proxy is. Then, I talked about the different types of proxies. Then, the bulk of the presentation was just me giving examples and demonstrating the various proxies. I included anonymizing proxies, reverse proxies, and intercepting proxies. While my slides can't substitue for the actual demo, I did try to include in them what tool I used for the demo. If you have any specific questions, please let me know. All that said, here's the presentation.

Google Ratproxy

Josh — Tue, 22 Jul 2008 20:02:56 +0000

If you are responsible for developing or maintaining a website and haven't checked out Ratproxy yet, you're missing out. Before I start spouting off about just how cool and useful this tool is, I suppose I should first tell you what a proxy is. In a nutshell, a proxy is an application that runs local on your computer and intercepts requests and responses between your web browser and the web server. In almost all cases, the proxy has the ability to manipulate the conversation going on between the two. Things like modifying your cookies, changing POST and GET parameters, and finding hidden fields are made uber-easy with the assistance of a proxy.

I don't claim to be an expert on proxies, but I have used several in the past including OWASP WebScarab and Paros. While both of these tools provide features as described above, Ratproxy takes a very different approach. You start up your proxy and tell the browser to pass requests through it. Simple enough. Then you just start surfing your website as though you were a regular user. In the background, Ratproxy is collecting all sort of useful information about the website. When you're done surfing the site, you run the report which comes out as a nice web page full of useful information about the site. It'll show you pages vulnerable to CSRF, XSS, and a host of other security vulnerabilities. It ranks then based on high, medium, and low impact and provides very good explanations of the issues it has found.

The Ratproxy tool has ports for Mac OS/X, Linux, and Cygwin (Windows). When I first tried to compile it in Cygwin, I had all sorts of error messages, but then I found this very help web page that told me exactly what libraries Cygwin was missing in order for me to compile it correctly. Part two of that article even goes on to tell you how to begin using Ratproxy.

To many, Web Application Security is a scary thing that takes a lot of time and effort to figure out how to do things right, but it doesn't have to be. You also don't have to pay an arm and a leg to do a decent security audit of your website. Start today by downloading Ratproxy and get a feel for how secure your site is without paying a dime.

Web Admin Blog » ratproxy

Using Proxies to Secure Applications and More

Google Ratproxy