Frequently Asked Questions
Do you have a question missing from this page? contact us through
, or email us through watcher at casabasecurity .com to get it up here.
Watcher is a Web-security testing tool that passively identifies vulnerabilities and hot-spots in Web-applications. Being passive means it's safe for production use.
- How does Watcher find vulnerabilities?
Watcher includes a 'check library'. Each check analyzes HTTP requests and responses to identify known issues. Checks are described in more detail on the
- Can it find XSS vulnerabilities?
If you're looking for a tool to perform cross-site scripting (XSS) testing
, check out our
x5s XSS testing tool
. Watcher does include a check to find user-controlled HTML, but x5s is more active and geared toward finding encoding issues that lead to XSS.
- Some checks are noisy, how can I reduce output?
A good noise-reduction profile is to:
- disable the informational header check for X-FRAME-OPTIONS
- disable the informational charset check for UTF-8
- enable the cookie filter in each cookie check
- configure each of the cookie checks with an inclusive filter
- Can I build my own checks?
Yes! It's easy to build a new check. You can grab Watcher's source and build it in directly, or you can create a separate DLL. If you inherit from the
class then your check will automatically be loaded at startup.
- I have an idea for a new check, will you build it?
Yes! Contact us with details, or open a new discussion through CodePlex.
- How can I export results to Team Foundation Server?
Watcher ships a separate component that you can grab from the
. If you download the WatcherTFS.zip you'll find instructions for installing and using the TFS component, which will allow you to export results directly from Watcher to TFS.