Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments.
Major Features:
- Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
- Works seamlessly with complex Web 2.0 applications while you drive the Web browser
- Non-intrusive, will not raise alarms or damage production sites
- Real-time analysis and reporting – findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
- Configurable domains with wildcard support
- Extensible framework for adding new checks
- ASP.NET VIEWSTATE insecure configurations
- JavaServer MyFaces ViewState without cryptographic protections
- Cross-domain stylesheet and javascript references
- User-controllable cross-domain references
- User-controllable attribute values such as href, form action, etc.
- User-controllable javascript events (e.g. onclick)
- Cross-domain form POSTs
- Insecure cookies which don’t set the HTTPOnly or secure flags
- Open redirects which can be abused by spammers and phishers
- Insecure Flash object parameters useful for cross-site scripting
- Insecure Flash crossdomain.xml
- Insecure Silverlight clientaccesspolicy.xml
- Charset declarations which could introduce vulnerability (non-UTF-8)
- User-controllable charset declarations
- Dangerous context-switching between HTTP and HTTPS
- Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
- Potential HTTP referer leaks of sensitive user-information
- Potential information leaks in URL parameters
- Source code comments worth a closer look
- Insecure authentication protocols like Digest and Basic
- SSL certificate validation errors
- SSL insecure protocol issues (allowing SSL v2)
- Unicode issues with invalid byte streams
- Sharepoint insecurity checks
- more…
Watcher writes findings to a ListView which includes the Severity, SessionID, Title, and URL. The full report can be exported to an XML file.