Watcher.zip contains the two DLL's for manual installation of the plugin - drop them in your Fiddler2\Scripts user or program files folder.
WatcherSetup.exe is an installer built with NSIS that will copy the two DLL's into either your Fiddler2\Scripts user or program files folder.
WatcherTFS.zip contains the Team Foundation Server (TFS) component which Watcher uses to export results to TFS. Installation and further instructions are included in the ZIP file.CHANGELOG
Program Watcher Passive Web Security Tool for Fiddler
License Custom Open Source
Authors Chris Weber
Testers Chris Weber
Copyright (c) 2010 - 2013 Casaba Security, LLC. All Rights Reserved.
+++ major new feature
+ minor new feature
* changed feature
% improved performance or quality
! fixed minor bug
!!! fixed major bug
!!! Bug fix in check for custom-defined regex patterns
+ New check allows for custom-defined regex patterns
% Minor bugfixes
+ New check for internal IP address disclosure
% Watcher now defaults to automatically checking for updates at start
! Bug fixes
% X-Frame-Options check now checks every page, unique to path, ignoring query.
+ New check for HTTP Strict-Transport-Security header on SSL sites
+ Added free-form text filter to Results display
v1.5.1 - 2011-02-21
% Moving checks to Majestic12 HtmlParser to overcome some bottlenecks.
% Deprecating some Utility.cs functions.
! Fixing various minor bugs.
v1.5.0 - 2010-11-17
+++ Added a button to process sessions offline. Now a user can load a .SAZ (session archive) file and process the data offline in Fiddler/Watcher.
% Fixed the ProgressDialog control to move incrementally.
v1.4.1 - 2010-11-09
* Exporting results now includes all results rather than just those selected.
* XML report now includes metadata about Watcher version and configuration.
% Check for 'Charset not UTF-8' improvements.
v1.4.0 - 2010-04-24
Attempts have been made at noise-reduction, see below.
Wiki has been updated with more check descriptions, all linked to from inside Watcher.
+++ Check descriptions all improved and updated with recommendations and external references.
* IMPORTANT: All cookie checks now perform noise filtering by default, with no option to change.
* New installations now come with a few noisy checks disabled by default.
* New installations now come with some check configs enabled by default to reduce noise.
! Fixed bug in loosely scoped domain where it wasn't defaulting to origin when one's not specified.
! Fixed bug where check configurations weren't saving.
! Assorted bug fixes.
v1.3.0 - 2010-02-25
+++ .NET Framework 3.5 is now required.
+++ Optional plugin (separate download) to export results to Team Foundation Server (TFS).
+ New (BETA) check for ASP.NET VIEWSTATE tampering vulnerability. (thanks to Bryan Sullivan for suggestions)
+ New (BETA) check for JavaServer Faces ViewState tampering vulnerability. (thanks to David Byrne for ideas)
+ New check for Silverlight EnableHtmlAccess.
+ Export results to HTML report.
+ If no origin domain is specified, each response domain will be treated as the origin, enabling better cross-domain analysis.
+ Added compliance mappings for Microsoft SDL.
! Assorted bug fixes throughout check library.
v1.2.2 - 2009-07-24
+ User-Agent now sends version information during update check for tracking purposes.
+ Added Windows 7 support to installer.
! Fixed the configuration page so checking and unchecking immediately affect what checks are run on a request.
! Checks that maintain URL caches weren't clearing when the results list was cleared.
* Changed the 'Charset not UTF-