Projects/OWASP Watcher Project/Releases/Watcher v1.5.0/Notes

From OWASP
Jump to: navigation, search
  • CHANGELOG

+++ major new feature,
+ minor new feature,
(*) changed feature,
% improved performance or quality,
! fixed minor bug,
!!! fixed major bug,

  • RELEASES

v1.5.0 - 2010-11-17
+++ Added a button to process sessions offline. Now a user can load a .SAZ (session archive) file and process the data offline in Fiddler/Watcher.
% Fixed the ProgressDialog control to move incrementally.

v1.4.1 - 2010-11-09
(*) Exporting results now includes all results rather than just those selected.
(*) XML report now includes metadata about Watcher version and configuration.
% Check for 'Charset not UTF-8' improvements.

v1.4.0 - 2010-04-24
Attempts have been made at noise-reduction, see below.
Wiki has been updated with more check descriptions, all linked to from inside Watcher.
+++ Check descriptions all improved and updated with recommendations and external references.
+ New check for javascript document.domain lowering.
(*) IMPORTANT: All cookie checks now perform noise filtering by default, with no option to change.
(*) New installations now come with a few noisy checks disabled by default.
(*) New installations now come with some check configs enabled by default to reduce noise.
! Fixed bug in loosely scoped domain where it wasn't defaulting to origin when one's not specified.
! Fixed bug where check configurations weren't saving.
! Assorted bug fixes.

v1.3.0 - 2010-02-25
+++ .NET Framework 3.5 is now required.
+++ Optional plugin (separate download) to export results to Team Foundation Server (TFS).
+ New (BETA) check for ASP.NET VIEWSTATE tampering vulnerability. (thanks to Bryan Sullivan for suggestions)
+ New (BETA) check for JavaServer Faces ViewState tampering vulnerability. (thanks to David Byrne for ideas)
+ New check for Silverlight EnableHtmlAccess.
+ Export results to HTML report.
+ If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain analysis.
+ Added compliance mappings for Microsoft SDL.
! Assorted bug fixes throughout check library.

v1.2.2 - 2009-07-24
+ User-Agent now sends version information during update check for tracking purposes.
+ Added Windows 7 support to installer.
! Fixed the configuration page so checking and unchecking immediately affect what checks are run on a request.
! Checks that maintain URL caches weren't clearing when the results list was cleared.
(*) Changed the 'Charset not UTF-8' check to ignore a missing meta tag charset when Content-Type header is defined (thanks Dave Wichers for reporting).
(*) Moved the check configuration to a tab of its own.
% Updates to the UI look and feel.
% Moved check configurations to their own page in UI.

v1.2.1 - 2009-07-12
!!! Fixed issue where response payloads greater than 200K caused the entire session to be ignored.