Running RatProxy in a Windows and cygwin environment

RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.

Preparation:

  1. I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
  2. The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
  3. The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
  4. Add a batch file (preserve.bat) to the c:\cygwin\bin folder:

    @echo off
    if (%1)==() goto ERRPARM
    ren ..\ratproxy\report.html %1.*
    “C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
    del ..\ratproxy\*.trace
    goto EXIT
    :ERRPARM
    echo Name for report and zip file is required.
    :EXIT

With that preparation complete, and with Firefox ready to submit your interaction:

  1. Open a command shell (cmd.exe).
  2. Paste these two lines into the command window:

    cd C:\cygwin\ratproxy
    ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC

    This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.

  3. Change your browser to use this proxy (localhost:8080).  Traffic that is passed through the browser will go through RatProxy.
  4. Your test traffic occurs here.
  5. In the command window (from step 2) press Ctrl+C to quit RatProxy.
  6. Undo the browser proxy changes (from step 3).
  7. Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.

    C:\cygwin\Cygwin.bat
    cd /ratproxy
    ./ratproxy-report.sh ratproxy.log > report.html
    logout

    This will require another Enter.

    C:\cygwin\ratproxy\report.html,  C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.

  8. Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter

    preserve <project>

    where <project> is a term you choose to remember what you were testing.

    You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.

In the html file you will see each POST transaction followed by a  [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.

Advertisements

Comments are closed.