Running RatProxy in a Windows and cygwin environment

RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.

Preparation:

1. I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
2. The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
3. The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
4. Add a batch file (preserve.bat) to the c:\cygwin\bin folder:
   

   @echo off
   if (%1)==() goto ERRPARM
   ren ..\ratproxy\report.html %1.*
   “C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
   del ..\ratproxy\*.trace
   goto EXIT
   :ERRPARM
   echo Name for report and zip file is required.
   :EXIT

With that preparation complete, and with Firefox ready to submit your interaction:

1. Open a command shell (cmd.exe).
2. Paste these two lines into the command window:
   

   cd C:\cygwin\ratproxy
   ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC

   This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.

3. Change your browser to use this proxy (localhost:8080).  Traffic that is passed through the browser will go through RatProxy.
4. Your test traffic occurs here.
5. In the command window (from step 2) press Ctrl+C to quit RatProxy.
6. Undo the browser proxy changes (from step 3).
7. Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.
   

   C:\cygwin\Cygwin.bat
   cd /ratproxy
   ./ratproxy-report.sh ratproxy.log > report.html
   logout

   This will require another Enter.

   C:\cygwin\ratproxy\report.html,  C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.

8. Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter
   

   preserve <project>

   where <project> is a term you choose to remember what you were testing.

   You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.

In the html file you will see each POST transaction followed by a  [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.