Frequently Asked Questions

Do you have a question missing from this page? contact us through CodePlex, or email us through watcher at casabasecurity .com to get it up here.
  • What is Watcher?
Watcher is a Web-security testing tool that passively identifies vulnerabilities and hot-spots in Web-applications. Being passive means it's safe for production use.
  • How does Watcher find vulnerabilities?
Watcher includes a 'check library'. Each check analyzes HTTP requests and responses to identify known issues. Checks are described in more detail on the Checks page.
  • Can it find XSS vulnerabilities?
If you're looking for a tool to perform cross-site scripting (XSS) testing, check out our x5s XSS testing tool. Watcher does include a check to find user-controlled HTML, but x5s is more active and geared toward finding encoding issues that lead to XSS.
  • Some checks are noisy, how can I reduce output?
A good noise-reduction profile is to:
- disable the informational header check for X-FRAME-OPTIONS
- disable the informational charset check for UTF-8
- enable the cookie filter in each cookie check
- configure each of the cookie checks with an inclusive filter
  • Can I build my own checks?
Yes! It's easy to build a new check. You can grab Watcher's source and build it in directly, or you can create a separate DLL. If you inherit from the WatcherCheck class then your check will automatically be loaded at startup.
  • I have an idea for a new check, will you build it?
Yes! Contact us with details, or open a new discussion through CodePlex.
  • How can I export results to Team Foundation Server?
Watcher ships a separate component that you can grab from the download page. If you download the WatcherTFS.zip you'll find instructions for installing and using the TFS component, which will allow you to export results directly from Watcher to TFS.

Last edited Apr 8, 2010 at 10:20 PM by chrisweber, version 4

Comments

No comments yet.