Butter Dev Logo

July 9, 2008

Google Ratproxy – Part 2 (Running and Using Ratproxy)

In my first Ratproxy post I provided instructions on building Ratproxy in a Windows/Cygwin environment.  In this post I will discuss running and using Ratproxy in a Windows/Cygwin environment. 

Run the Ratproxy executable (ratproxy.exe):

  1. Open a windows command prompt in the directory where ratproxy.exe lives.
  2. Enter: ratproxy.exe -v C:\cygwin -w ratproxy.log -p 8282 -d yourdomain.com -lfscm.  The -p parameter specifies the port that Ratproxy will use  (by default Ratproxy will use 8080) and the -d specifies the domain we will be testing (obviously enter your own domain here).  The rest of the parameters are straightforward and can be reviewed in the official documentation

Configure your browser to use Ratproxy:

Now that Ratproxy is running you need to configure your browser to use the proxy.

Internet Explorer 7

  1. Tools > Internet Options
  2. Connections  > LAN Settings
  3. Select ‘Use a proxy server for your LAN’
  4. Address: The location where Ratproxy is running (localhost or should work).
  5. Port: The port you chose to bind Ratproxy to (in this example 8282). 
  6. Now close and open a fresh browser window. 

Firefox 3.0

  1. Tools > Options
  2. Network > Settings
  3. Select ‘Manual proxy configuration’
  4. HTTP Proxy: The location where Ratproxy is running (localhost or should work).
  5. Port: The port you chose to bind Ratproxy to (in this example 8282). 
  6. Now close and open a fresh browser window. 

If you don’t have this configured correctly or if Ratproxy is not running your browser will display an error indicating that the proxy server refused connection.

Do Stuff – and let Ratproxy do the hard work!:

That’s it.  Now all you need to do is step through your website highlighting the main errors that you think may be vulnerable.  Ratproxy will be tracking your session behind the scenes. 

Generate a formatted HTML report of Ratproxy findings:

  1. Open the Cygwin bash shell.
  2. cd to the ratproxy directory
  3. Enter: sh ratproxy-report.sh ratproxy.log > report.html

Ratproxy will generate a nicely formatted HTML report.  That is all for this post, I hope it was helpful.


July 7, 2008

Google Ratproxy – Part 1 (Building Ratproxy in Windows)

Recently, I have been studying web application security and some of my research led me to RatproxyRatproxy is a web application security audit tool recently released by Google.  In this post I will show you how to install Ratproxy in a Windows environment.

What you will need:

  1. In order to run ratproxy in a windows environment you will need Cygwin (http://www.cygwin.com/).
  2. The current Ratproxy release — http://code.google.com/p/ratproxy/.

Installing Cygwin:

From the Cygwin home page (http://www.cygwin.com/).:

  1. Select the “Install or update now!” link to download the Cygwin setup.
  2. When the download is complete run setup.exe.
  3. Select “Install from Internet” > Next.
  4. The next few screens are self explanatory.  You will choose your installation directory (the default is fine) and a few other options (all of the default options should be fine).
  5. After you choose a mirror the download will begin.  After the download is complete you will be presented with a screen prompting you to select the packages you would like to install.  VERY IMPORTANT– There are a few utilities required to build Ratproxy that are not installed by default by the Cygwin installer.
    1. make – Located in ‘Devel’.
    2. gcc-core – Also located in ‘Devel’.
    3. openssl-devel – Also located in ‘Devel’.
    4. openssl (The OpenSSL runtime environment) – Located in ‘Libs’ or ‘Net’.

The preceding four packages must be installed or you will not be able to build or run Ratproxy.  Make sure they are not being skipped (there should be an X in the box next to each item).

Building Ratproxy:

Once Cygwin is installed with all of the required packages you are ready to build Ratproxy.

  1. Unzip Ratproxy into your Cygwin directory (c:\cygwin).
  2. Modify the make file packaged with Ratproxy – The Ratproxy Makefile contains a flag that is not compatible with the compiler installed with Cygwin.  This can be fixed by making a small modifcation to Makefile.
    1. Open Makefile (located at the root of your Ratproxy install).
    2. Look for this line — CFLAGS  = -Wall -O3 -Wno-pointer-sign -D_GNU_SOURCE
    3. Remove -Wno-pointer-sign
  3. The affected portions of the Makefile should now look like this:

    PROGNAME = ratproxy
    CFLAGS	 = -Wall -O3 -D_GNU_SOURCE
    LDFLAGS  = -lcrypto -lssl
  4. Flare-dist – Now you need to download the Flare action script decompiler for Windows. From the Ratproxy root open the flare-dist directory. Directions for downloading the Flare action script decompiler are in the README file. Download the distribution at http://www.nowrap.de/download/flare06doswin.zip. Then unzip the file into Ratproxy/flare-dist. You should now have a file called flare.exe (remove the file that was distributed with Ratproxy — flare with no extension).
  5. Make Ratproxy – Now we are ready to make Ratproxy.
    1. Open your Cygwin bash shell (by selecting your Cygwin shortcut or by running Cygwin.bat).
    2. Navigate into the Ratproxy directory – At the command prompt enter ‘cd /ratproxy’ (remember we saved Ratproxy at our Cygwin root).
    3. Run make – At the command prompt enter ‘make’

The ‘make’ command should run and complete successfully. You will be left with a compiled ratproxy.exe in your Ratproxy directory. Important: In order to run Ratproxy you will need to make sure the Cygwin/bin directory is in your Windows path (else the exe will blow up when you run it).

To add the Cygwin libraries to your Windows path (in Vista).

  1. Right-click the ‘My Computer Icon’ and select ‘Properties’.
  2. Select ‘Advanced system settings’ and then select the ‘Environmental Variables’ button.
  3. Find the ‘Path’ variable under ‘System variables’ and select the ‘Edit’ button.
  4. Append ;C:\Cygwin\bin to the ‘Variable value’.

You can now use that executable to run Ratproxy according to the documentation on the Ratproxy site.  That is all for this post in part two I discuss running Ratproxy.

February 9, 2008

Web Application Security with WebGoat (OWASP)

If you develop applications for the web understanding the latest security exploits is crucial to securing your site.  WebGoat by the Open Web Application Security Project is a great tool to test your knowledge.  WebGoat is a J2ee application designed to deploy to Tomcat.  The application contains numerous security holes and lessons dedicated to showing users (hands on) how to exploit them.  I highly recommend WebGoat and enjoyed going through the lessons.  You will need WebScarab for the advanced lessons.