• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2018
  • January
  • 2
  • Watcher – A Passive Web Application Vulnerability Scanner

Watcher – A Passive Web Application Vulnerability Scanner

January 2, 2018 Comments Off on Watcher – A Passive Web Application Vulnerability Scanner
how to use watcher Watcher - A Passive Web Application Vulnerability Scanner watcher scanner watcher tutorial watcher web app scanner web application scanning tool

Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments.

It detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Major Features:

  • Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, CSS, and development frameworks (e.g. ASP.NET, JavaServer)
  • Works seamlessly with complex Web 2.0 applications while you drive the Web browser
  • Non-intrusive, will not raise alarms or damage production sites
  • Real-time analysis and reporting – findings are reported as they’re found, exportable to XML, HTML, and Team Foundation Server (TFS)
  • Configurable domains with wildcard support
  • Extensible framework for adding new checks
Watcher is built as a plugin for the Fiddler HTTP debugging proxy available at www.fiddlertool.com. Fiddler provides all of the rich functionality of a good Web/HTTP proxy. With Fiddler, you can capture all HTTP traffic, intercept and modify, replay requests, and much much more. Fiddler provides the HTTP proxy framework for Watcher to work in, allowing for seamless integration with today’s complex Web 2.0 or Rich Internet Applications. Watcher runs silently in the background while you drive your browser and interact with the Web-application.
Watcher is built in C# as a small framework with 30+ checks already included. It’s built so that new checks can be easily created to perform custom audits specific to your organizational policies, or to perform more general-purpose security assessments.
Examples of the types of issues Watcher will currently identify:
  • ASP.NET VIEWSTATE insecure configurations
  • JavaServer MyFaces ViewState without cryptographic protections
  • Cross-domain stylesheet and javascript references
  • User-controllable cross-domain references
  • User-controllable attribute values such as href, form action, etc.
  • User-controllable javascript events (e.g. onclick)
  • Cross-domain form POSTs
  • Insecure cookies which don’t set the HTTPOnly or secure flags
  • Open redirects which can be abused by spammers and phishers
  • Insecure Flash object parameters useful for cross-site scripting
  • Insecure Flash crossdomain.xml
  • Insecure Silverlight clientaccesspolicy.xml
  • Charset declarations which could introduce vulnerability (non-UTF-8)
  • User-controllable charset declarations
  • Dangerous context-switching between HTTP and HTTPS
  • Insufficient use of cache-control headers when private data is concerned (e.g. no-store)
  • Potential HTTP referer leaks of sensitive user-information
  • Potential information leaks in URL parameters
  • Source code comments worth a closer look
  • Insecure authentication protocols like Digest and Basic
  • SSL certificate validation errors
  • SSL insecure protocol issues (allowing SSL v2)
  • Unicode issues with invalid byte streams
  • Sharepoint insecurity checks
  • more…

Watcher writes findings to a ListView which includes the Severity, SessionID, Title, and URL. The full report can be exported to an XML file.

Watcher Results

How To Install Watcher

Note: You must have the Fiddler installed on your computer. Fiddler must be run at least once before installing Watcher.
All you have to do is, run the WatcherSetup.exe installer or open the .ZIP and copy the CasabaSecurity.Web.Watcher.Checks.dll and CasabaSecurity.Web.Watcher.dll into Fiddler’s ‘scripts‘ folder.
Download WatcherSetup.exe
Download Watcher.zip
Download WatcherTFS.zip

Post navigation

Game Of Thrones Season 8 Script Reportedly Leaked By Reddit User
D-Link Password Decryptor – Tool for Recovering Passwords from D-Link Modems/Routers

Related Articles

Syhunt Community 6.7 – Web And Mobile Application Scanner

- Vulnerability Scanners
October 1, 2019

OpenVAS – Open Vulnerability Assessment System

- Vulnerability Scanners
August 6, 2019August 6, 2019

XSpear: Powerfull XSS Scanning and Parameter Analysis tool

- Cross Site Scripting, Vulnerability Scanners
July 27, 2019
hacker gadgets
hacker phone covers

Recent Posts

NimGetSyscallStub - Get Fresh Syscalls From A Fresh Ntdll.Dll Copy

NimGetSyscallStub – Get Fresh Syscalls From A Fresh Ntdll.Dll Copy

August 13, 2022
International Crypto Exchanges Blocked in Uzbekistan

International Crypto Exchanges Blocked in Uzbekistan

August 13, 2022
Netherlands Police Arrest Alleged Tornado Cash Dev

Netherlands Police Arrest Alleged Tornado Cash Dev

August 13, 2022
crAPI: help you to understand the ten most critical API security risks

crAPI: help you to understand the ten most critical API security risks

August 12, 2022
OffensiveVBA - Code Execution And AV Evasion Methods For Macros In Office Documents

OffensiveVBA – Code Execution And AV Evasion Methods For Macros In Office Documents

August 12, 2022
SQUIP vulnerability

SQUIP vulnerability affects AMD Zen-series processors

August 12, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW