If you are responsible for developing or maintaining a website and haven’t checked out Ratproxy yet, you’re missing out. Before I start spouting off about just how cool and useful this tool is, I suppose I should first tell you what a proxy is. In a nutshell, a proxy is an application that runs local on your computer and intercepts requests and responses between your web browser and the web server. In almost all cases, the proxy has the ability to manipulate the conversation going on between the two. Things like modifying your cookies, changing POST and GET parameters, and finding hidden fields are made uber-easy with the assistance of a proxy.

I don’t claim to be an expert on proxies, but I have used several in the past including OWASP WebScarab and Paros. While both of these tools provide features as described above, Ratproxy takes a very different approach. You start up your proxy and tell the browser to pass requests through it. Simple enough. Then you just start surfing your website as though you were a regular user. In the background, Ratproxy is collecting all sort of useful information about the website. When you’re done surfing the site, you run the report which comes out as a nice web page full of useful information about the site. It’ll show you pages vulnerable to CSRF, XSS, and a host of other security vulnerabilities. It ranks then based on high, medium, and low impact and provides very good explanations of the issues it has found.

The Ratproxy tool has ports for Mac OS/X, Linux, and Cygwin (Windows). When I first tried to compile it in Cygwin, I had all sorts of error messages, but then I found this very help web page that told me exactly what libraries Cygwin was missing in order for me to compile it correctly. Part two of that article even goes on to tell you how to begin using Ratproxy.

To many, Web Application Security is a scary thing that takes a lot of time and effort to figure out how to do things right, but it doesn’t have to be. You also don’t have to pay an arm and a leg to do a decent security audit of your website. Start today by downloading Ratproxy and get a feel for how secure your site is without paying a dime.