This project is read-only.


Why use the Watcher passive Web-security scanner?

by Chris Weber, co-founder at Casaba Security, contact me through CodePlex, email me at casaba .com, or drop me a message on Twitter

Ever find yourself looking for that showstopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That's intitially why we created Watcher. For one thing, we don't want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but we still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that showstopper exploit.

Watcher is a Fiddler addon which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. We chose to implement this as a plugin for Fiddler which already provides the proxy framework for HTTP debugging. Some reasons to use Watcher include:
  • Safe for the Cloud and hosting environments. Being passive gives Watcher several advantages - when applications live in the Cloud there's often a risk that running security testing could damage the shared infrastructure. However, using a passive tool like Watcher ensures that there's no chance of damaging Cloud-like infrastructure.
  • Safe for production environments. Watcher does not attack web-applications with loads of intrusive requests, it doesn't modify inputs to your application. Unlike crawlers and web-application scanners, Watcher does not generate dangerous traffic. It quietly analyzes normal user-interaction and makes educated reports on the security of an application.
  • Low overhead, no training. If you’re building web-applications you already have a development and test staff. Fiddler has been valuable to dev and test for years as a general-purpose HTTP debugging proxy. Watcher fits seamlessly into the picture, providing valuable security insight with no special training requirements, dedicated machines, or other resources.

If you're looking for a tool to perform cross-site scripting (XSS) testing, check out our x5s XSS testing tool.

Quick Links


We would like to thank the following people for their hard work, contributions, and ideas:

Eric Lawrence (for building the Fiddler HTTP proxy)

Samuel Bucholtz
Robert Mooney
Jason D. Montgomery
Hidetake Jo
Bryan Sullivan

(Suggestions and Ideas)
Bryan Sullivan
Dave Wichers
Russ McRee
David Byrne
Adrien de Beaupre

Last edited Jun 1, 2017 at 12:40 AM by chrisweber, version 96