Security Basics mailing list archives
Re: ratproxy issues
From: "Alonso Caballero Quezada / ReYDeS" <reydes () gmail com>
Date: Mon, 10 Nov 2008 12:09:20 -0500
Saludos:
Hey Alonso, I would like to talk about the use of ratproxy, and the issues reported. 1- Test Phase I test the systems with the following parameters: -rlextifscgjm -XCrlfscmetigj (for active testing). What parameteres do you use?
Well: # ./ratproxy -w /tmp/ratlog -v /tmp/rattraces -2 -e -x -t -i -f -s -c -g -j -X -C -d www.midominio.net
To perform the test I click on every app´s link, but it is a little boring, and there´s a risk of forgeting some link. Let alone a big one. How do you proceed to test your apps?
Here you have to do a mix of automated check and verification manual. The best of guides OWASP
2- Issues Phase Ratproxy reported some high risk issues, so I need to understand then in order to convince the developers. I´ve found found this link http://code.google.com/p/doctype/wiki/ArticlesXSS that explain many of the threats reported by ratproxy. What approach do you use in order to convince the developers team about the risks exposed?
Although ratproxy minimizes false positives, is due to conduct a manual verification of results. Again. OWASP Development Guide 2.0 X)
Is there any comparison between ratproxy and other pen test tools?
RatsProxy is a "passive" web application security audit tool. Should use multiple tools to do a good job.
Thanks, André
No problem. Atte: -- Alonso Caballero Quezada aka ReYDeS - ReYDeS () gmail com GIAC Computer and Network Security Awareness (SSP-CNSA) http://alonsocaballero.informatizate.net - LRU #307242 PeruSEC.org - informatizate.net - NoticiasTrujillo.com
Current thread:
- ratproxy issues acastanheira2001 (Nov 07)
- Re: ratproxy issues Alonso Caballero Quezada / ReYDeS (Nov 07)
- <Possible follow-ups>
- Fw: Re: ratproxy issues Andre Rodrigues (Nov 10)
- Re: ratproxy issues Alonso Caballero Quezada / ReYDeS (Nov 10)