Google's Ratproxy is a web server proxy
that monitors traffic to a site. The idea is that
one exercises the site under test and runs traffic
through the ratproxy web proxy. ratproxy analyzes the
traffic and looks for problems.
Installation and Execution of RatProxy
- Download from
http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz
- Untar
- Run
make
- Mac OS: I had to download flare:
cd flare-dist
wget http://www.nowrap.de/download/flare06mac.tgz
tar -zxf flare06mac.tgz
- Start up the proxy
./ratproxy -v outdir -w ratproxy.log -d eecs.berkeley.edu -lfscm
- In Firefox, set the proxy to 127.0.0.1, port 8080
(Mac: Firefox -> Preferences -> Advanced ->
Network -> Connections -> Settings
- Exercise the site as you normally would.
Note that ratproxy does not appear to work with
ports outside of :80 and :443. Thus, running it on
the test sites on carson does not work, other than running it on http://carson.eecs.berkeley.edu.
- When you are done, generate a report
./ratproxy-report.sh ratproxy.log >report.html
Ratproxy output from 12/2008, after XSS JSP fixes
POST query with no XSRF protection [toggle]
Section hidden
Suspicious parameter passing scheme [toggle]
Section hidden
Parameter names look like OGNL expressions, PHP global variables, or other mechanisms to directly affect the state of server-side code. Some of such schemes could lead to data injection unless proper security measures are in place, and should be carefully evaluated.
- MEDIUMECHO PRED AUTH GET http://chess.eecs.berkeley.edu:80/chessj/gsrcCalendar.do?calendarName=chessCalendar&gsrc.location.group=chess � 200 [view trace]
Response (27191): <!-- $Id: decorator.jsp,v 1.4 2003/02/21 00:16:43 allenh Exp $ -->n<!-- Allen Hopkins -->nnnnnnnnnnnnnnn nnnnn<html>n<head>nn<title></title>nnn<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>n<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>n<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nn</head>nn<STYLE TYPE="text/css">n<!--n.menu {n positiont:absolute;n backgroundt:white;n border-color:white;n border-width:0px;n visibilityt:hidden;n z-indext:99;n}n-->n</STYLE>nn<body marginwidth=0 marginheight=0n leftmargin=0 topmargin=0n >nntt<!-- $Id: header.jsp,v 1.12 2008/12/23 03:30:25 www Exp $ -->n<!-- Allen Hopkins -->nnnnnnnnnnnnn...
Offending value: gsrc.location.group
MIME type: text/html, detected: text/html, charset: ISO-8859-1
Bad or no charset declared for renderable file [toggle]
Section hidden
Text documents with missing, mistyped, or obscure character sets (see config.h). For some values, UTF-7 and other types of character set sniffing in Internet Explorer may occur if any part of the file is user-controlled.
- MEDIUMecho PRED AUTH GET http://chess.eecs.berkeley.edu:80/ � 200 [view trace]
Response (57214): <title>Chess - Center for Hybrid and Embedded Software Systems</title>nnt<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>nt<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>nt<link href="/lib/default.css" rel="stylesheet" type="text/css">nt<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nt<link rel="shortcut icon" href="http://chess.eecs.berkeley.edu/favicon.ico">n <html>n<!-- $Id: index.html,v 1.243 2008/12/05 00:09:32 cxh Exp $ -->n<!-- index.php reads this HTML and puts the website decorations around it. -->n<!-- -->n<body marginwidth=0 marginheight=0nttleftmargin=0 topmargin=0ntt bgcolor="#ffffff">nn<SCRIPT LANGUAGE="JavaScript">n<!--n function changeLogoCol...
MIME type: text/html, detected: text/html, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/standard/global.css � 200 [view trace]
Response (8273): /* The contents of this file are subject to the Mozilla Publicn * License Version 1.1 (the "License"); you may not use this filen * except in compliance with the License. You may obtain a copy ofn * the License at http://www.mozilla.org/MPL/n *n * Software distributed under the License is distributed on an "ASn * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express orn * implied. See the License for the specific language governingn * rights and limitations under the License.n *n * The Original Code is the Bugzilla Bug Tracking System.n *n * The Initial Developer of the Original Code is Netscape Communicationsn * Corporation. Portions created by Netscape aren * Copyright (C) 1998 Netscape Communications Corporation. Alln * Rights Reserved.n *n * Contributor(s): Byron Jones <bugzilla@glob.com.au>n * Christian Reis <kiko@async.com.br>n * Vitaly Harisov <vitaly@rathedg.com>n * ...
MIME type: text/css, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ � 200 [view trace]
Response (54198): <title>Chess - Center for Hybrid and Embedded Software Systems</title>nnt<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>nt<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>nt<link href="/lib/default.css" rel="stylesheet" type="text/css">nt<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nt<link rel="shortcut icon" href="http://chess.eecs.berkeley.edu/favicon.ico">n <html>n<!-- $Id: index.html,v 1.243 2008/12/05 00:09:32 cxh Exp $ -->n<!-- index.php reads this HTML and puts the website decorations around it. -->n<!-- -->n<body marginwidth=0 marginheight=0nttleftmargin=0 topmargin=0ntt bgcolor="#ffffff">nn<SCRIPT LANGUAGE="JavaScript">n<!--n function changeLogoCol...
MIME type: text/html, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/php/chess.eecs.berkeley.edu/pmwiki/pub/jsMath/plugins/autoload.js � 200 [view trace]
Response (14703): /*n * autoload.jsn * n * Part of the jsMath package for mathematics on the web.n *n * This file is a plugin that checks if a page contains any mathn * that must be processed by jsMath, and only loads jsMath.jsn * when there is.n * n * You can control the items to look for via the variablesn * n * jsMath.Autoload.findTeXstringsn * jsMath.Autoload.findLaTeXstringsn * jsMath.Autoload.findCustomStringsn * jsMath.Autoload.findCustomSettingsn * n * which control whether to look for TeX strings that will be convertedn * by jsMath.ConvertTeX(), or LaTeX strings that will be converted byn * jsMath.ConvertLaTeX(). By default, the first is true and the secondn * and third are false. The findCustomStrings can be used to specify yourn * own delimiters for in-line and display mathematics, e.g.n * n * jsMath.Autoload.findCustomStrings = [n * '[math],'[/math]', // start and end in-line mathn * '[display]','...
MIME type: application/javascript, detected: text/plain, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ptexternal/wiki/ � 200 [view trace]
Response (10920): n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"rn "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">rn<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">rn<!-- monobook/monobook.tmplrnSee PHP for credits and licensern-->rn<head>rn <title>Center for Hybrid and Embedded Software Systems - Home Page</title>rn <meta http-equiv='Content-Style-Type' content='text/css' />rn <!--HTMLHeader--><style type='text/css'><!--n ul, ol, pre, dl, p { margin-top:0px; margin-bottom:0px; }n code.escaped { white-space: nowrap; }n .vspace { margin-top:1.33em; }n .indent { margin-left:40px; }n .outdent { margin-left:40px; text-indent:-40px; }n a.createlinktext { text-decoration:none; border-bottom:1px dotted gray; }n a.createlink { text-decoration:none; position:rel...
Cookies set: PHPSESSID=ude3mvb0maocs70ojrhjie3rl6
MIME type: text/html; charset=ISO-8859-1, detected: text/html, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/global.css � 200 [view trace]
Response (100): /*n * Custom rules for global.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
MIME type mismatch on renderable file [toggle]
Section hidden
Text documents that seem to have a poorly chosen Content-Type value. Even slight mismatches may trigger content sniffing in Internet Explorer, and potentially lead to cross-site scripting if any part of the file is user-controlled.
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/standard/global.css � 200 [view trace]
Response (8273): /* The contents of this file are subject to the Mozilla Publicn * License Version 1.1 (the "License"); you may not use this filen * except in compliance with the License. You may obtain a copy ofn * the License at http://www.mozilla.org/MPL/n *n * Software distributed under the License is distributed on an "ASn * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express orn * implied. See the License for the specific language governingn * rights and limitations under the License.n *n * The Original Code is the Bugzilla Bug Tracking System.n *n * The Initial Developer of the Original Code is Netscape Communicationsn * Corporation. Portions created by Netscape aren * Copyright (C) 1998 Netscape Communications Corporation. Alln * Rights Reserved.n *n * Contributor(s): Byron Jones <bugzilla@glob.com.au>n * Christian Reis <kiko@async.com.br>n * Vitaly Harisov <vitaly@rathedg.com>n * ...
MIME type: text/css, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/php/chess.eecs.berkeley.edu/pmwiki/pub/jsMath/plugins/autoload.js � 200 [view trace]
Response (14703): /*n * autoload.jsn * n * Part of the jsMath package for mathematics on the web.n *n * This file is a plugin that checks if a page contains any mathn * that must be processed by jsMath, and only loads jsMath.jsn * when there is.n * n * You can control the items to look for via the variablesn * n * jsMath.Autoload.findTeXstringsn * jsMath.Autoload.findLaTeXstringsn * jsMath.Autoload.findCustomStringsn * jsMath.Autoload.findCustomSettingsn * n * which control whether to look for TeX strings that will be convertedn * by jsMath.ConvertTeX(), or LaTeX strings that will be converted byn * jsMath.ConvertLaTeX(). By default, the first is true and the secondn * and third are false. The findCustomStrings can be used to specify yourn * own delimiters for in-line and display mathematics, e.g.n * n * jsMath.Autoload.findCustomStrings = [n * '[math],'[/math]', // start and end in-line mathn * '[display]','...
MIME type: application/javascript, detected: text/plain, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ptexternal/wiki/ � 200 [view trace]
Response (10920): n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"rn "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">rn<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">rn<!-- monobook/monobook.tmplrnSee PHP for credits and licensern-->rn<head>rn <title>Center for Hybrid and Embedded Software Systems - Home Page</title>rn <meta http-equiv='Content-Style-Type' content='text/css' />rn <!--HTMLHeader--><style type='text/css'><!--n ul, ol, pre, dl, p { margin-top:0px; margin-bottom:0px; }n code.escaped { white-space: nowrap; }n .vspace { margin-top:1.33em; }n .indent { margin-left:40px; }n .outdent { margin-left:40px; text-indent:-40px; }n a.createlinktext { text-decoration:none; border-bottom:1px dotted gray; }n a.createlink { text-decoration:none; position:rel...
Cookies set: PHPSESSID=ude3mvb0maocs70ojrhjie3rl6
MIME type: text/html; charset=ISO-8859-1, detected: text/html, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/global.css � 200 [view trace]
Response (100): /*n * Custom rules for global.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -