14 DAY TRIAL // Watcher version 1.1.0 is now available for download from Microsoft's repository of open-source projects. The Redmond company is not the author of Watcher, but it is certainly recommending the tool via its online hotspot dedicated to the Security Development Lifecycle. Put together by Casaba Security, Watcher is designed to enhance Fiddler proxy, a tool developed by Eric Lawrence, IE program manager. In this context, the plug-in from Casaba Security complements Lawrence's web debugging proxy, closely monitoring and analyzing HTTP traffic.
“Watcher is a plug-in for Eric Lawrence’s Fiddler proxy aimed at helping developers and testers find security issues in their web-apps fast and effortlessly. Because it works passively at runtime, you have to drive it by opening a browser and cruising through your web-app as an end user. For the developer, the tool can provide a quick sanity check, so you can find problems and hot-spots that warrant further attention. In the hands of a pen-tester it can assist in finding issues that lead to other attacks like XSS and CSRF,” revealed Chris Weber of Casaba Security.
Version 1.1.0 of Watcher brings to the table no less than 35 checks. According to Weber, the tool will bring to the surface security issues that although evident are often overlooked. In this regard, the tool is capable of sniffing out a variety of vulnerabilities affecting areas such as cross-domain mashups, user-controlled HTML (potential XSS), open redirects, insecure handling of cookies, and Unicode, according to Weber.
“Setup is simple – install and run Fiddler, then launch the Watcher setup installer, or manually drop the Watcher DLL’s in Fiddler’s ‘scripts’ folder. Inside Fiddler, click Watcher’s “Security Auditor” tab and click ‘enable’. At this point the findings will start showing for any domain. To narrow things down, you’ll want to configure Watcher with the domain name you’re concerned about, and add any trusted domains you want to include,” Weber added.
Watcher version 1.1.0 is available for download here.
Fiddler is available for download here.