Jul 102008

Ratproxy is an opensource semi-automated, largely passive web application security audit tool from the search giant Google. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

In its simplest mode of operation, RatProxy sits as a proxy and logs the outbound web requests (can be made to accept connections in advanced operations) and then later on run an Audit report to give a more meaningful report on your security audit.

The approach taken with ratproxy offers several important advantages over more traditional methods:

No risk of disruptions – In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.

Low effort, high yield – Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner – yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.

Preserved control flow of human interaction – By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.

WYSIWYG data on script behavior – Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.

Easy process integration – The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.

To install Ratproxy

Download the latest source available from  here

opensuse11:~ # wget http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz

Unzip & Untar

opensuse11:~ # tar -zxvf ratproxy-1.51.tar.gz

Install Ratproxy

Change directory of the extracted directory and install.

opensuse11:~ # cd ratproxy-1.51

opensuse11:~/ratproxy-1.51 # make

That installs the Ratproxy tool on your SUSE or openSUSE linux.

Ok. Let’s get on and try and run a simple Security Audit.

Start Ratproxy

From the source directory, start ratproxy as follows:

opensuse11:~/ratproxy-1.51 # ./ratproxy -w report_file -v /report_dir


the “-w” switch instructs Ratproxy to log the web requests to a file named report_file
the “-v” switch instructs Ratproxy to save thereport_file into /report_dir file

By default, Ratproxy listens on port 8080 (the default on most of the proxies) which can be altered.

Modify browser settings

Now, modify the network settings on your browser to use a proxy server and port. The proxy server being “localhost” and port “8080”. On Firefox, Click Edit – Preferences – Advanced – Network Settings and enter the “localhost” and port “8080” as proxy server and port.

This makes the browser to forward all the web requests to the localhost:8080 where Ratproxy is listening. This is absolutely non-disruptive and doesn’t affect performance.

When you are happy to think enough is been captured, CTRL+C to stop Ratproxy and revert the proxy changes on your browser (else stopping ratproxy and still having proxy setting can cause internet browsing fail).

Convert the file to meaningful report

Now, we have captured enough, run the report conversion tool to convert the report file into a meaningful HTML report that is clearly presented. Sample shown in screenshots. I’ve just browsed google.co.uk & yahoo.com

opensuse:~/ratproxy-1.51 # ./ratproxy-report.sh report_file > report.html

Now, you can open the report.html file in a browser and see what you’ve found for yourself. All those transactions in the background is shown in front of you!!

For more detailed advanced usage options look into the “How to run the proxy” section here

Simple but efficient tool!!!!