OWASP Fiddler Addons for Security Testing Project

Main
Welcome to the OWASP page presenting Fiddler addons for security testing. This is home of the Watcher and x5s security testing tools built as extensions for the Fiddler HTTP proxy. A quick overview:


 * Watcher is a passive vulnerability scanner for Web applications
 * x5s is an active cross-site scripting testing tool for Web applications
 * Fiddler is an HTTP debugging proxy with support (and scripting support) for traffic interception, traffic modification, replay, comparison, data parsing, offline usage, NTLM/basic/digest auth, and much more

Fiddler HTTP Proxy
The Fiddler HTTP debugging proxy has a long history with a wide user base and was chosen as the platform for building security testing tools found on this page. By leveraging Fiddler we can focus our efforts on the security testing logic and let the proxy do its job.

Watcher
Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.

Descriptions of the security checks

Detailed Documentation

Download link

The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. Some reasons to use Watcher include:

Being passive gives Watcher several advantages - when applications live in the Cloud there's often a risk that running security testing could damage the shared infrastructure. However, using a passive tool like Watcher ensures that there's no chance of damaging Cloud-like infrastructure. Watcher does not attack web-applications with loads of intrusive requests, it doesn't modify inputs to your application. Unlike crawlers and web-application scanners, Watcher does not generate dangerous traffic. It quietly analyzes normal user-interaction and makes educated reports on the security of an application. If you’re building web-applications you already have a development and test staff. Fiddler has been valuable to dev and test for years as a general-purpose HTTP debugging proxy. Watcher fits seamlessly into the picture, providing valuable security insight with no special training requirements, dedicated machines, or other resources.
 * Safe for the Cloud and hosting environments
 * Safe for production environments
 * Low overhead, no training

Watcher screenshots
The main configuration screen for Watcher makes it as simple as clicking the 'enable' button. Once you do that, all HTTP traffic starts getting observed and analyzed for security issues. You can also narrow Watcher's scope by specifying an ***origin*** domain that will be the focus of analysis, all others being ignored. Custom Watcher configurations can also be saved so you don't need to re-enter the same information each time you launch the tool.



To get more granular, the checks configuration screen allows you enable and disable individual checks. Some checks even come with their own configurations such as noise reduction or string analysis.



The most interesting screen will probably be the results screen, where each finding is displayed. From here you can remove findings, filter by severity, and export to XML, HTML, or TFS.