Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.

Version 1.3

News

• Watcher 1.3.0 includes checks for the VIEWSTATE vulnerabilities reported in the Trustwave advisory
• Watcher includes support for OWASP’s Application Security Verification Standard. Version 1.2.0 has been released with documentation describing the Level coverage provided by relevant checks.
• Microsoft mentions Watcher’s use in SDL compliance testing on their SDL Blog
• IE8 Security Program Manager and Fiddler author Eric Lawrence announced the Watcher plugin during his talk at MIX09.

Major Features:

• Passive detection of security, privacy, and PCI compliance issues in HTTP, HTML, Javascript, and CSS
• Works seamlessly with complex Web 2.0 applications while you drive the Web browser
• Non-intrusive, will not raise alarms or damage production sites
• Real-time analysis and reporting - findings are reported as they’re found, exportable to XML
• Configurable domains with wildcard support
• Extensible framework for adding new checks

Dependencies

• Fiddler (The Web Debugging Proxy)