18 July, 2012

How to Setup RatProxy on Windows

How to Setup RatProxy on Windows
Secure Ideas
Author: Secure Ideas
Share:

In an effort to help developers and other Windows users get started adding security testing into their process, this post will describe the process to install RatProxy on Windows. RatProxy is an interception tool that is used to inspect web traffic and identify potential security vulnerabilities.

RatProxy is distributed as code and needs to be compiled before we can run it. In the Windows environment, this is done by installing Cygwin. Once Cygwin has been installed, RatProxy can be compiled and then used. If you already have Cygwin installed, you can skip to the next section.

Installing Cygwin

The following steps outline how to install Cygwin on a Windows system:

  1. Download the Cygwin installer from cygwin.com.
  2. Unzip the installation package (may require a program such as 7-zip).
  3. Run the Setup.exe installer.
  4. Follow the on screen prompts, using the default is fine, until the Utilities screen appears. Select the following packages: make from the devel package, gcc-core from the devel package, openssl-devel from the devel package, and OpenSSL (The Open SSL runtime environment) from the Libs package.
  5. Complete the installation. This may take some time as it downloads all of the packages needed.

For a video walkthrough of installing Cygwin, watch this tutorial.

Installing RatProxy

To install RatProxy follow these steps:

  1. Download the package from Google Code.
  2. Unzip the downloaded RatProxy distribution file into the Cygwin directory. If Cygwin was installed to C:\cygwin then RatProxy should be unzipped to C:\cygwin\ratproxy.
  3. Update Flare (used to decompile flash objects): open the readme file in the RatProxy\flare-dist directory for the latest instructions. Open the URL for the Windows distribution and save the file. Unzip the file into the RatProxy\flare-dist directory.
  4. Modify the Makefile (C:\cygwin\ratproxy\makefile) and remove the -Wno-pointer-sign from CFLAGS = -Wall -O3 -Wno-pointer-sign -D_GNU_SOURCE.
  5. Save the Makefile.
  6. Open a Cygwin bash by double-clicking the C:\cygwin\Cygwin.bat file.
  7. Navigate to the ratproxy directory. If installed at C:\cygwin\ratproxy, type cd ../../ratproxy and press enter.
  8. Type make and press enter. If you receive an error that looks like ratproxy.c:1635: error: incompatible type for argument 2 of 'waitpid', open ratproxy.c and modify line 1635 from while (waitpid(-1,&x,WNOHANG) > 0); to while (waitpid(-1,(int*)&x,WNOHANG) > 0);. Run the make command again. This should run successfully.
  9. Add Cygwin to your path: right-click "My Computer" and select "Properties." Select "Advanced system settings" and then select "Environmental Variables." Find the "Path" variable under "System Variables" and edit it. Add ;C:\Cygwin\bin to the end of the "Variable Value."

At this point, RatProxy should be installed and ready to run.

Running RatProxy

  1. Open a command shell (cmd.exe, not the Cygwin bash).
  2. Navigate to C:\cygwin\ratproxy (or the path that RatProxy was installed to).
  3. Type the following at the command prompt: ratproxy.exe -v C:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC
  4. To quit RatProxy, press Ctrl+C.

Once RatProxy is running, change your browser to go through the proxy just created on port 8080. Now all traffic that is passed through the browser will go through RatProxy. Once finished testing, enter Ctrl+C at the command prompt to stop RatProxy.

Creating the RatProxy Report

  1. Go back to your bash shell, or open it if it hasn't been started.
  2. Navigate to the ratproxy directory.
  3. Type ./ratproxy-report.sh ratproxy.log > report.html and press enter.
  4. Now open the ratproxy folder in an explorer window and open the report.html file. This should contain the results of your testing.

Although it may seem like a lot of work getting this up and running, it can be very beneficial to increasing the security of your applications. Developers can now run RatProxy while they test their new features and get some feedback on potential security issues just by doing normal testing. Of course, this does not cover all vulnerabilities and security testing still needs to be performed, but it is a step in the right direction and will help reduce possible vulnerabilities.

Need a professional web application security assessment?

Our team uses industry-leading tools and manual testing techniques to find vulnerabilities that automated scanners miss. Reach out to discuss a penetration test.

Talk to Our Team