Pen-testers like to find bugs. Auditors like to find issues. Developers wish they would all go away. And what's everyone end up doing - running scanners, static analysis tools, instrumentation and code reviews. Watcher is a passive Web-app testing tool released as an Open Source project. It fills an important gap & it assists during the manual runtime testing process. It's literally as simple as it gets, you click 'enable', browse your web-app, and watch the findings start popping up. Watcher silently examines all traffic and makes logical decisions to identify real issues. There's low-overhead required, and nothing intrusive. Watcher works as a manual reviewer's assistant. For auditors if finds the policy violations Watcher finds. For developers it will find the configuration issues and design weaknesses. For the pen-tester, Watcher provides all this plus real 'hot-spot' detection. With a view of the hot-spots, pen-testers know where to look closer to find deeper issues leading to cross-site scripting and other important vulnerabilities. Watcher has been in development for some time and includes over 35 checks. This presentation intends to demonstrate this Open Source tool, discussing some of the checks and vulnerabilities in detail, and present the extensibility model.
Chris Weber is co-founder at Casaba Security where he's leading product development for new tools to assist in the field of Unicode and Web-application security. He has spent years focusing on software security testing for some of the world's leading software development companies and online properties. He's authored several security books, articles and presentations, and regularly speaks at industry conferences. He's worked as a security researcher and consultant for over a decade identifying hundreds of security vulnerabilities in many widely used products including Web browsers and Web-applications.