I mentioned that Fiddler forms an essential part of my web testing toolkit, and recently I had a hankering for knowledge of Security Testing. Somehow I found my way to a Fiddler plugin called Watcher from Casaba Security. This lets me slowly learn about security testing in the course of my normal testing.
Simple to use: enable Watcher using the new [Security Auditor] tab that appears after installing watcher, and test normally, then check the Security tab and see the warnings Watcher has flagged.
After installing Watcher I have a new “Security Auditor” tab in Fiddler.
I enabled it (leaving all the checks and params as the default).
Then went off and surfed for a while. Came back and checked the Results tab.
And Watcher has ‘flagged’ a whole bunch of stuff as worth looking into. I loved this, so I went off to OWASP to read up on what these might mean and then see if I could figure out how to exploit any of them.
Since I have fiddler running when I test web sites anyway, I shall also have Watcher enabled and after each test session have a quick check for possible security issues and slowly ease myself into learning more about Security Testing. After a while I should feel more confident about tackling the other tools and techniques listed in the “OWASP Testing Guide”.
So if you haven’t installed Fiddler yet - do it. And if you have then - head off to the addons page and go find thee Watcher.