Wednesday, 29 April 2009

Learn Security Testing with Fiddler and Watcher

I mentioned that Fiddler forms an essential part of my web testing toolkit, and recently I had a hankering for knowledge of Security Testing. Somehow I found my way to a Fiddler plugin called Watcher from Casaba Security. This lets me slowly learn about security testing in the course of my normal testing.
Simple to use: enable Watcher using the new [Security Auditor] tab that appears after installing watcher, and test normally, then check the Security tab and see the warnings Watcher has flagged.

After installing Watcher I have a new "Security Auditor" tab in Fiddler.

I enabled it (leaving all the checks and params as the default).

Then went off and surfed for a while. Came back and checked the Results tab.

And Watcher has 'flagged' a whole bunch of stuff as worth looking into. I loved this, so I went off to OWASP to read up on what these might mean and then see if I could figure out how to exploit any of them.
Since I have fiddler running when I test web sites anyway, I shall also have Watcher enabled and after each test session have a quick check for possible security issues and slowly ease myself into learning more about Security Testing. After a while I should feel more confident about tackling the other tools and techniques listed in the "OWASP Testing Guide".
So if you haven't installed Fiddler yet - do it. And if you have then - head off to the addons page and go find thee Watcher.


  1. Don't forget performance testing with neXpert!!

    neXpert looks really useful. I just haven't been able to install it yet. Thanks for the pointer Adam.

  2. Thanks for the nice review of Watcher! I wanted you to know we'll be releasing a new version soon with many improvements including support for OWASP's new ASVS standard, with clear mappings so you'll know what level of coverage Watcher provides.

    Thanks Chris, I'll be watching out for the new release.

  3. [...] Learn Security Testing with Fiddler and Watcher – Alan Richardson (Evil Tester); [...]

    One for all you Portuguese readers

  4. Just wondering, can the security results be exported/saved automatically to file. Might be useful for integration with custom log parsing and Selenium to do automated security regression analysis when running automated web app tests. Either parse the results file and send parsed results or just send directly the security results unparsed along with automated test results for QA (and/or developers) to review.