Conducting a passive security audit with Ratproxy

 
Published on 2012-12-27 by John Collins.

Introduction to Ratproxy

According to the Ratproxy website, Ratproxy is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

Written by Michal Zalewski, who is the author of Silence on the Wire, Ratproxy is a very useful tool for carrying out a passive (non-intrusive) audit of a web application, to detect any common issues that Ratproxy can test for and bring to your attention via a report.

As Ratproxy is a proxy server, it sits between your web browser and the server you are testing like so:

All HTTP requests and responses between you and the web server are logged and analysed by Ratproxy.

In this tutorial, I will show you how to install and run Ratproxy, then configure Firefox to use Ratproxy as a proxy server to connect to the Internet. To keep things simple however, the web application we are testing is actually running on localhost.

Installing Ratproxy on Fedora

As I am a Fedora user, these notes are for Fedora 17 but should work equally well for other Redhat-based Linux distributions. The latest version of Ratproxy is 1.58, which is already available in the Fedora 17 repository:

$ yum list ratproxy
Loaded plugins: langpacks, presto, refresh-packagekit
Available Packages
ratproxy.x86_64                        1.58-4.fc17                        fedora

So go ahead and install from there:

$ yum install ratproxy

Configuring Ratproxy and Firefox

The following command will start Ratproxy and get it to look for high-probability issues only, which is a good place to start:

$ ratproxy -v Security/ratproxy/ -w Security/ratproxy/ratproxy.log -d localhost -lfscm
ratproxy version 1.56-beta by 
[*] Proxy configured successfully. Have fun, and please do not be evil.
[+] Accepting connections on port 8080/tcp (local only)...

The -v flag tells Ratproxy where to store machine-readable output files, while the -w flag indicates the location of the main log file to generate. The -d flag indicates the web domain that we are conducting the audit on, in this case localhost.

See the project wiki for more options: RatproxyDoc

Now in Firefox, select from the menu Edit - Preferences - Advanced - Network, and beside Connection choose Settings....

Now choose the Manual proxy configuration radio, and enter in the following:

Make sure No Proxy for does not contain localhost. Now visit the site you want to test and execute your test cases as usual (Ratproxy will be logging at this point).

Viewing the reports

Once you are finished testing the web application, kill Ratproxy with Ctry-C. Now generate a HTML report from the log:

$ ratproxy-report Security/ratproxy/ratproxy.log > Security/ratproxy/report.html

And here is the report when viewed in a browser:

At this point you will need to investigate and take action on each item in the report.


Updated 2023 : note that the above post was originally published in 2012, but is left here for archival purposes. I have fixed some broken links above. Sadly, it seems this project is no longer maintained.