Watcher: a free web-app security vulnerability scanner

I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at it’s an eye opener for Web developers - introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today’s Web applications.

Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for now:

Cross-domain stylesheet and javascript references
User-controllable cross-domain references
User-controllable attribute values such as href, form action, etc.
Cross-domain form POSTs
Insecure cookies which don’t set the HTTPOnly or secure flags
Open redirects which can be abused by spammers and phishers
Insecure Flash object parameters useful for cross-site scripting
Insecure Flash crossdomain.xml
Insecure Silverlight clientaccesspolicy.xml
Charset declarations which could introduce vulnerability (non-UTF-8)
User-controllable charset declarations
Dangerous context-switching between HTTP and HTTPS
Insufficient use of cache-control headers when private data concerned (e.g. no-store)
Potential HTTP referer leaks of sensitive user-information
Information leaks in the URL (email address, sessionId, etc)
Source code comments worth a closer look
Insecure authentication protocols like Digest and Basic
SSL certificate validation errors
SSL insecure protocol issues (allowing SSL v2)
Weak authentication protocols
Unicode ill-formed byte streams

It’s being released under an Open Source license so if you want to help add new checks please let me know.

Download the Watcher web security tool from Codeplex