TesterHQ - The Evil Tester Blog Aggregator

Apr 30, 2009 - 2 minute read - Evil Tester Tools

Learn Security Testing with Fiddler and Watcher

Original Blog Posting on [blog.eviltester.com]

I mentioned that Fiddler forms an essential part of my web testing toolkit, and recently I had a hankering for knowledge of Security Testing. Somehow I found my way to a Fiddler plugin called Watcher from Casaba Security. This lets me slowly learn about security testing in the course of my normal testing.

Simple to use: enable Watcher using the new [Security Auditor] tab that appears after installing watcher, and test normally, then check the Security tab and see the warnings Watcher has flagged.

After installing Watcher I have a new “Security Auditor” tab in Fiddler.

I enabled it (leaving all the checks and params as the default).

Then went off and surfed for a while. Came back and checked the Results tab.

And Watcher has ‘flagged’ a whole bunch of stuff as worth looking into. I loved this, so I went off to OWASP to read up on what these might mean and then see if I could figure out how to exploit any of them.

Since I have fiddler running when I test web sites anyway, I shall also have Watcher enabled and after each test session have a quick check for possible security issues and slowly ease myself into learning more about Security Testing. After a while I should feel more confident about tackling the other tools and techniques listed in the “OWASP Testing Guide”.

So if you haven’t installed Fiddler yet - do it. And if you have then - head off to the addons page and go find thee Watcher.