- Download from
http://ratproxy.googlecode.com/files/ratproxy-1.51.tar.gz
- Untar
- Run
make
- Mac OS: I had to download flare:
cd flare-dist
wget http://www.nowrap.de/download/flare06mac.tgz
tar -zxf flare06mac.tgz
- Start up the proxy
./ratproxy -v outdir -w ratproxy.log -d eecs.berkeley.edu -lfscm
- In Firefox, set the proxy to 127.0.0.1, port 8080
(Mac: Firefox -> Preferences -> Advanced ->
Network -> Connections -> Settings
- Exercise the site as you normally would.
Note that ratproxy does not appear to work with
ports outside of :80 and :443. Thus, running it on
the test sites on carson does not work, other than running it on http://carson.eecs.berkeley.edu.
- When you are done, generate a report
./ratproxy-report.sh ratproxy.log >report.html
Ratproxy output from 12/2008, after XSS JSP fixes
POST query with no XSRF protection [toggle]
Section hidden
Suspicious parameter passing scheme [toggle]
Section hidden
Parameter names look like OGNL expressions, PHP global variables, or other mechanisms to directly affect the state of server-side code. Some of such schemes could lead to data injection unless proper security measures are in place, and should be carefully evaluated.
- MEDIUMECHO PRED AUTH GET http://chess.eecs.berkeley.edu:80/chessj/gsrcCalendar.do?calendarName=chessCalendar&gsrc.location.group=chess � 200 [view trace]
Response (27191): <!-- $Id: decorator.jsp,v 1.4 2003/02/21 00:16:43 allenh Exp $ -->n<!-- Allen Hopkins -->nnnnnnnnnnnnnnn nnnnn<html>n<head>nn<title></title>nnn<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>n<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>n<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nn</head>nn<STYLE TYPE="text/css">n<!--n.menu {n positiont:absolute;n backgroundt:white;n border-color:white;n border-width:0px;n visibilityt:hidden;n z-indext:99;n}n-->n</STYLE>nn<body marginwidth=0 marginheight=0n leftmargin=0 topmargin=0n >nntt<!-- $Id: header.jsp,v 1.12 2008/12/23 03:30:25 www Exp $ -->n<!-- Allen Hopkins -->nnnnnnnnnnnnn...
Offending value: gsrc.location.group
MIME type: text/html, detected: text/html, charset: ISO-8859-1
Bad or no charset declared for renderable file [toggle]
Section hidden
Text documents with missing, mistyped, or obscure character sets (see config.h). For some values, UTF-7 and other types of character set sniffing in Internet Explorer may occur if any part of the file is user-controlled.
- MEDIUMecho PRED AUTH GET http://chess.eecs.berkeley.edu:80/ � 200 [view trace]
Response (57214): <title>Chess - Center for Hybrid and Embedded Software Systems</title>nnt<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>nt<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>nt<link href="/lib/default.css" rel="stylesheet" type="text/css">nt<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nt<link rel="shortcut icon" href="http://chess.eecs.berkeley.edu/favicon.ico">n <html>n<!-- $Id: index.html,v 1.243 2008/12/05 00:09:32 cxh Exp $ -->n<!-- index.php reads this HTML and puts the website decorations around it. -->n<!-- -->n<body marginwidth=0 marginheight=0nttleftmargin=0 topmargin=0ntt bgcolor="#ffffff">nn<SCRIPT LANGUAGE="JavaScript">n<!--n function changeLogoCol...
MIME type: text/html, detected: text/html, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/standard/global.css � 200 [view trace]
Response (8273): /* The contents of this file are subject to the Mozilla Publicn * License Version 1.1 (the "License"); you may not use this filen * except in compliance with the License. You may obtain a copy ofn * the License at http://www.mozilla.org/MPL/n *n * Software distributed under the License is distributed on an "ASn * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express orn * implied. See the License for the specific language governingn * rights and limitations under the License.n *n * The Original Code is the Bugzilla Bug Tracking System.n *n * The Initial Developer of the Original Code is Netscape Communicationsn * Corporation. Portions created by Netscape aren * Copyright (C) 1998 Netscape Communications Corporation. Alln * Rights Reserved.n *n * Contributor(s): Byron Jones <bugzilla@glob.com.au>n * Christian Reis <kiko@async.com.br>n * Vitaly Harisov <vitaly@rathedg.com>n * ...
MIME type: text/css, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ � 200 [view trace]
Response (54198): <title>Chess - Center for Hybrid and Embedded Software Systems</title>nnt<SCRIPT LANGUAGE="JavaScript" src="/coolmenu.js"></script>nt<SCRIPT LANGUAGE="JavaScript" src="/menus.js"></script>nt<link href="/lib/default.css" rel="stylesheet" type="text/css">nt<LINK href="/menuStyles.css" rel="stylesheet" type="text/css">nt<link rel="shortcut icon" href="http://chess.eecs.berkeley.edu/favicon.ico">n <html>n<!-- $Id: index.html,v 1.243 2008/12/05 00:09:32 cxh Exp $ -->n<!-- index.php reads this HTML and puts the website decorations around it. -->n<!-- -->n<body marginwidth=0 marginheight=0nttleftmargin=0 topmargin=0ntt bgcolor="#ffffff">nn<SCRIPT LANGUAGE="JavaScript">n<!--n function changeLogoCol...
MIME type: text/html, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/php/chess.eecs.berkeley.edu/pmwiki/pub/jsMath/plugins/autoload.js � 200 [view trace]
Response (14703): /*n * autoload.jsn * n * Part of the jsMath package for mathematics on the web.n *n * This file is a plugin that checks if a page contains any mathn * that must be processed by jsMath, and only loads jsMath.jsn * when there is.n * n * You can control the items to look for via the variablesn * n * jsMath.Autoload.findTeXstringsn * jsMath.Autoload.findLaTeXstringsn * jsMath.Autoload.findCustomStringsn * jsMath.Autoload.findCustomSettingsn * n * which control whether to look for TeX strings that will be convertedn * by jsMath.ConvertTeX(), or LaTeX strings that will be converted byn * jsMath.ConvertLaTeX(). By default, the first is true and the secondn * and third are false. The findCustomStrings can be used to specify yourn * own delimiters for in-line and display mathematics, e.g.n * n * jsMath.Autoload.findCustomStrings = [n * '[math],'[/math]', // start and end in-line mathn * '[display]','...
MIME type: application/javascript, detected: text/plain, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ptexternal/wiki/ � 200 [view trace]
Response (10920): n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"rn "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">rn<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">rn<!-- monobook/monobook.tmplrnSee PHP for credits and licensern-->rn<head>rn <title>Center for Hybrid and Embedded Software Systems - Home Page</title>rn <meta http-equiv='Content-Style-Type' content='text/css' />rn <!--HTMLHeader--><style type='text/css'><!--n ul, ol, pre, dl, p { margin-top:0px; margin-bottom:0px; }n code.escaped { white-space: nowrap; }n .vspace { margin-top:1.33em; }n .indent { margin-left:40px; }n .outdent { margin-left:40px; text-indent:-40px; }n a.createlinktext { text-decoration:none; border-bottom:1px dotted gray; }n a.createlink { text-decoration:none; position:rel...
Cookies set: PHPSESSID=ude3mvb0maocs70ojrhjie3rl6
MIME type: text/html; charset=ISO-8859-1, detected: text/html, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/global.css � 200 [view trace]
Response (100): /*n * Custom rules for global.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
MIME type mismatch on renderable file [toggle]
Section hidden
Text documents that seem to have a poorly chosen Content-Type value. Even slight mismatches may trigger content sniffing in Internet Explorer, and potentially lead to cross-site scripting if any part of the file is user-controlled.
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chess.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/contrib/Dusk/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/index.css � 200 [view trace]
Response (99): /*n * Custom rules for index.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/standard/global.css � 200 [view trace]
Response (8273): /* The contents of this file are subject to the Mozilla Publicn * License Version 1.1 (the "License"); you may not use this filen * except in compliance with the License. You may obtain a copy ofn * the License at http://www.mozilla.org/MPL/n *n * Software distributed under the License is distributed on an "ASn * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express orn * implied. See the License for the specific language governingn * rights and limitations under the License.n *n * The Original Code is the Bugzilla Bug Tracking System.n *n * The Initial Developer of the Original Code is Netscape Communicationsn * Corporation. Portions created by Netscape aren * Copyright (C) 1998 Netscape Communications Corporation. Alln * Rights Reserved.n *n * Contributor(s): Byron Jones <bugzilla@glob.com.au>n * Christian Reis <kiko@async.com.br>n * Vitaly Harisov <vitaly@rathedg.com>n * ...
MIME type: text/css, detected: text/html, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/php/chess.eecs.berkeley.edu/pmwiki/pub/jsMath/plugins/autoload.js � 200 [view trace]
Response (14703): /*n * autoload.jsn * n * Part of the jsMath package for mathematics on the web.n *n * This file is a plugin that checks if a page contains any mathn * that must be processed by jsMath, and only loads jsMath.jsn * when there is.n * n * You can control the items to look for via the variablesn * n * jsMath.Autoload.findTeXstringsn * jsMath.Autoload.findLaTeXstringsn * jsMath.Autoload.findCustomStringsn * jsMath.Autoload.findCustomSettingsn * n * which control whether to look for TeX strings that will be convertedn * by jsMath.ConvertTeX(), or LaTeX strings that will be converted byn * jsMath.ConvertLaTeX(). By default, the first is true and the secondn * and third are false. The findCustomStrings can be used to specify yourn * own delimiters for in-line and display mathematics, e.g.n * n * jsMath.Autoload.findCustomStrings = [n * '[math],'[/math]', // start and end in-line mathn * '[display]','...
MIME type: application/javascript, detected: text/plain, charset: -
- LOWecho PRED auth GET http://chess.eecs.berkeley.edu:80/ptexternal/wiki/ � 200 [view trace]
Response (10920): n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"rn "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">rn<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">rn<!-- monobook/monobook.tmplrnSee PHP for credits and licensern-->rn<head>rn <title>Center for Hybrid and Embedded Software Systems - Home Page</title>rn <meta http-equiv='Content-Style-Type' content='text/css' />rn <!--HTMLHeader--><style type='text/css'><!--n ul, ol, pre, dl, p { margin-top:0px; margin-bottom:0px; }n code.escaped { white-space: nowrap; }n .vspace { margin-top:1.33em; }n .indent { margin-left:40px; }n .outdent { margin-left:40px; text-indent:-40px; }n a.createlinktext { text-decoration:none; border-bottom:1px dotted gray; }n a.createlink { text-decoration:none; position:rel...
Cookies set: PHPSESSID=ude3mvb0maocs70ojrhjie3rl6
MIME type: text/html; charset=ISO-8859-1, detected: text/html, charset: -
- LOWecho PRED auth GET https://chesstst.eecs.berkeley.edu:443/bugzilla/skins/custom/global.css � 200 [view trace]
Response (100): /*n * Custom rules for global.css.n * The rules you put here override rules in that stylesheet.n */n
MIME type: text/css, detected: text/plain, charset: -