
Ratproxy - semi-automated, largely passive web application security audit tool - stakent
http://code.google.com/p/ratproxy/
======
tptacek
This is Michel Zalewski's project. I think it's been around for awhile. It's
one of a couple of tools that all work by watching your requests and then
probing the sites you hit for common vulnerabilities; essentially, it wants to
use you as a spider.

Zalewski is very into passive detection of things (he's behind p0f, which is
one of the more famous network security tools), and so that's ratproxy's
"hook": it's just looking at your traffic, not generating many thousands of
probes.

What does this mean to you as a startup developer? Not much. Tools like
ratproxy _may_ tell you about a few vulnerabilities you didn't know about ---
in which case, hey, free money! --- but you still need to know how to test
your application manually for everything ratproxy does, and several things it
doesn't.

