Re: ratproxy issues

["Alonso Caballero Quezada / ReYDeS" <reydes () gmail com>]

Saludos:

> Hey Alonso,
>
> I would like to talk about the use of ratproxy, and the issues reported.
>
> 1- Test Phase
>
> I test the systems with the following parameters:
> -rlextifscgjm
> -XCrlfscmetigj  (for active testing).
>
> What parameteres do you use?

Well:

# ./ratproxy -w /tmp/ratlog -v /tmp/rattraces -2 -e -x -t -i -f -s -c
-g -j -X -C -d www.midominio.net

> To perform the test I click on every app´s link, but it is a little boring,
> and there´s a risk of forgeting some link. Let alone a big one.
>
> How do you proceed to test your apps?

Here you have to do a mix of automated check and verification manual.
The best of guides OWASP

> 2- Issues Phase
>
> Ratproxy reported some high risk issues, so I need to understand then in
> order to convince the developers.
>
> I´ve found found this link http://code.google.com/p/doctype/wiki/ArticlesXSS
> that explain many of the threats reported by ratproxy.
>
> What approach do you use in order to convince the developers team about the
> risks exposed?

Although ratproxy minimizes false positives, is due to conduct a
manual verification of results.
Again. OWASP Development Guide 2.0 X)

> Is there any comparison between ratproxy and other pen test tools?

RatsProxy is a "passive" web application security audit tool.
Should use multiple tools to do a good job.

> Thanks,
> André

  No problem.

 Atte:

-- 
Alonso Caballero Quezada aka ReYDeS - ReYDeS () gmail com
GIAC Computer and Network Security Awareness (SSP-CNSA)
http://alonsocaballero.informatizate.net - LRU #307242
PeruSEC.org - informatizate.net - NoticiasTrujillo.com