readme

Google 推出一套免費的 Web 安全評估工具

  -w logfile    - this option causes raw, machine-readable proxy logs to be 
                  written to a specified file. By default, all data is written
                  to stdout only. The log produced this way is not meant for 
                  human consumption - it might be postprocessed with third-party
                  utilities, or pretty-printed using 'ratproxy-report.sh',
                  however.

  -v logdir     - prompts ratproxy to store full HTTP traces of all requests 
                  featured in the logfile, writing them to a specified directory.
                  In most cases, it is advisable to enable this option, as it 
                  provides useful hints for further analysis.

  -p port       - causes ratproxy to listen for browser connections on a TCP 
                  port different than the default 8080.

  -r            - instructs ratproxy to accept remote connections. By default, 
                  the proxy listens on loopback interfaces only. This option
                  enables remote access to the service.

                  WARNING: Ratproxy does not feature any specific access 
                  control mechanisms, and may be abused if exposed to the 
                  Internet. Please make sure to use proper firewall controls 
                  whenever using -r option to prevent this.

  -d domain     - specifies a domain name suffix used to distinguish between 
                  the audited infrastructure and third-party sites. Host names
                  that match -d values will be subjected to analysis, and ones
                  that do not will be considered the outside world. Interactions
                  between these two classes will be subjected to additional
                  checks.

                  NOTE: This feature is extremely important for several of the 
                  checks implemented by ratproxy. If -d option is missing, 
                  ratproxy will treat all URLs as being a part of the audited 
                  service, and cross-domain interaction checks will not be 
                  carried out at all. If it is set incorrectly, report coverage 
                  may decrease.

                  Multiple -d options may and often should be combined to 
                  define the perimeter for testing and flow analysis (e.g., -d 
                  example.com -d example-ad-service.com -d example-ng.com).

  -P host:port  - causes ratproxy to talk to an upstream proxy instead of 
                  directly routing requests to target services. Useful for
                  testing systems behind corporate proxies, or chaining
                  multiple proxy-type security testing tools together.

  -l            - ratproxy sometimes needs to tell if a page has substantially 
                  changed between two requests to better qualify the risks 
                  associated with some  observations. By default, this is 
                  achieved through strict page checksum comparison (MD5). This
                  options enables an alternative, relaxed checking mode that 
                  relies on page length comparison instead.

                  Since some services tend to place dynamically generated 
                  tokens on rendered pages, it is generally advisable to enable
                  this mode most of the time.

  -2            - several services are known to render the same page with 
                  dynamic content of variable length in response to two 
                  subsequent, otherwise identical requests. This might be a 
                  result of inline ad rendering, or other content randomization.

                  When dealing with such services, ratproxy might be instructed 
                  to acquire three, not two, samples for page comparison for some 
                  checks, to further minimize the number of false positives.

  -e            - enables pedantic caching header validation. Security problems 
                  may arise when documents clearly not meant to be cached are 
                  served in a way that permits public proxies to store them. By 
                  default, ratproxy detects poorly chosen HTTP/1.1 caching 
                  directives that are most likely to affect general population.

                  Some additional issues may appear with users behind legacy 
                  proxies that support HTTP/1.0 only, however - as is the case
                  with several commercial solutions. These proxies may ignore 
                  HTTP/1.1 directives and interpret HTTP/1.0 cues only. In -e
                  mode, ratproxy will complain about all cases where there 
                  appears to be a mismatch between HTTP/1.0 and HTTP/1.1 caching
                  intents.

                  This tends to generate a large number of warnings for many 
                  services; if you prefer to focus on more pressing issues first,
                  you might want to keep it off at first.

  -x            - tells the proxy to log all URLs that seem to be particularly
                  well-suited for further, external XSS testing (by the virtue 
                  of being echoed on the page in a particular manner). By 
                  default, ratproxy will not actually attempt to confirm these
                  vectors (-X option enables disruptive checking, however) - but
                  you will be able to use the data for manual testing or as 
                  input to third-party software.

                  Generally recommended, unless it proves to be too noisy.

  -t            - by default, ratproxy logs some of the most likely directory 
                  traversal candidates. This option tells the proxy to log less
                  probable guesses, too. These are good leads for manual testing
                  or as input to an external application.

                  Generally recommended, unless it proves to be too noisy.

  -i            - with this option supplied, ratproxy will log all PNG files 
                  served inline. PNG files are a cross-site scripting vector in 
                  some legacy browsers. The default behavior is to log these 
                  images that require authentication only, based on the 
                  assumption that such images are most likely to be
                  user-controlled.

                  This option should be enabled when auditing applications
                  that permit picture uploads and sharing; otherwise, it may 
                  just generate noise.

  -f            - with this option enabled, the proxy will log all Flash 
                  applications encountered for further analysis. This is
                  particularly useful when combined with -v, in which case, Flash
                  files will be automatically disassembled and conveniently 
                  included in 'ratproxy-report.sh' output.

                  Since recent Flash vulnerabilities make the platform a major 
                  potential cross-site scripting vector, it is advisable to 
                  enable this feature.

  -s            - tells ratproxy to log all POST requests for further analysis 
                  and processing, in a separate section of the final report. 
                  This is useful for bookkeeping and manual review, since POST 
                  features are particularly likely to expose certain security
                  design flaws.

  -c            - enables logging of all URLs that seem to set cookies, 
                  regardless of their presumed security impact. Again, useful for
                  manual design analysis and bookkeeping. Not expected to 
                  contribute much noise to the report.

  -g            - extends XSRF token validation checks to GET requests. By 
                  default, the proxy requires anti-XSRF protection on POST 
                  requests and cookie setters only. Some applications tend to 
                  perform state changing operations via GET requests, too, and 
                  so with this option enabled, additional data will be collected
                  and analyzed.

                  This feature is verbose, but useful for certain application 
                  designs.

  -j            - enables detection of discouraged Javascript syntax, such as 
                  eval() calls or .innerHTML operations. Javascript code that 
                  makes use of these will be tagged for manual inspection.

  -m            - enables logging of "active" content referenced across domain 
                  boundaries to detect patterns such as remote image inclusion
                  or remote linking (note that logging of remote script or
                  stylesheet inclusion is enabled at all times).

                  This option has an effect only when a proper set of domains 
                  is specified with -d command-line parameter - and is 
                  recommended for sites where a careful control of cross-domain 
                  trust relationships needs to be ensured.

  -X            - enables active testing. When this option is provided, 
                  ratproxy will attempt to actively, disruptively validate the
                  robustness of XSS and XSRF defenses whenever such a check is
                  deemed necessary. 

                  By the virtue of doing passive preselection, this does not
                  generate excessive traffic and maintains the same level of 
                  coverage as afforded in passive mode.

                  The downside is that these additional requests may disrupt 
                  the application or even trigger persistent problems; as such,
                  please exercise caution when using it against mission-critical
                  production systems.

  -C            - in disruptive testing mode, ratproxy will replay some 
                  requests with modified parameters. This may disrupt the state
                  of some applications and make them difficult to navigate. To
                  remediate this, -C option enables additional replaying of the 
                  unmodified request at the end of the process, in hopes of 
                  restoring the original server-side state.

                  This option is generally recommended in -X mode.

  -k            - instructs ratproxy that the application is expected to use 
                  HTTPS exclusively; any downgrades to HTTP will be reported
                  and prioritized depending on potential impact.

                  This option obviously makes sense only if the application is 
                  indeed meant to use HTTPS and HTTPS only.

  -a            - tells ratproxy to indiscriminately log all visited URLs. 
                  Useful for assessing the coverage achieved.

In practice, for low verbosity reporting that looks for high-probability issues 
only, a good starting point is:

    ./ratproxy -v <outdir> -w <outfile> -d <domain> -lfscm 

To increase verbosity and include output from some less specific checks, the 
following set of options is a good idea:

    ./ratproxy -v <outdir> -w <outfile> -d <domain> -lextifscgjm 

For active testing, simply add -XC options as needed.

Once the proxy is running, you need to configure your web browser to point to 
the appropriate machine and port (a simple Firefox extension such as QuickProxy 
may come handy in the long run); it is advisable to close any non-essential 
browser windows and purge browser cache, as to maximize coverage and minimize 
noise.

The next step is to open the tested service in your browser, log in if 
necessary, then interact with it in a regular, reasonably exhaustive manner: 
try all available views, features, upload and download files, add and delete 
data, and so forth - then log out gracefully and terminate ratproxy with Ctrl-C.

  NOTE: Do not be tempted to tunnel automated spider traffic (e.g. wget -r or 
  active scanners) via ratproxy. This will not have the desired effect. The tool 
  depends strictly on being able to observe well-behaved, valid user-application 
  interaction. 

  SECURITY WARNING: When interacting with SSL applications, ratproxy will 
  substitute its own, dummy, self-signed certificate in place of that 
  legitimately returned by the service. This is expected to generate browser 
  warnings - click through them to accept the key temporarily for the site. Do 
  not add the key permanently to your browser configuration - the key is known to
  anyone who ever downloaded the tool. Furthermore, please note that ratproxy 
  will also forego any server certificate validation steps - so while interacting 
  with the service in this mode, you can have no expectation of server identity, 
  transmission integrity, or data privacy. Do not use important accounts and do 
  not enter sensitive data while running ratproxy tests. 

Once the proxy is terminated, you may further process its pipe-delimited (|), 
machine-readable, greppable output with third party tools if so desired, then 
generate a human-readable HTML report:

    ./ratproxy-report.sh ratproxy.log >report.html 

This will produce an annotated, prioritized report with all the identified 
issues. When opened in a browser, you will have an opportunity to replay GET 
and POST requests, tweak their parameters, view traces, and inspect Flash 
disassemblies, too.

Enjoy :-)

-----------------------------------
Credits, contributions, suggestions
-----------------------------------

If you are interested in contributing to the project, a list of features and 
improvements for the proxy can be found in doc/TODO in the source tarball.

If you have any questions, suggestions, or concerns regarding the application, 
the author can be reached at lcamtuf@google.com.

Ratproxy was made possible by the contributions of, and valuable feedback from, 
Google's information security engineering team.