debian/0000755000000000000000000000000011564450605007174 5ustar debian/changelog0000644000000000000000000000350411564450605011050 0ustar ratproxy (1.58+dfsg-3build1) oneiric; urgency=low * Rebuild for OpenSSL 1.0.0. -- Colin Watson Tue, 17 May 2011 11:44:19 +0100 ratproxy (1.58+dfsg-3) unstable; urgency=low * [27c2bfb] Fix SSL proxying by including the ssl certificate (LP: #544097) * [dca3f0d] Switch to my debian address and remove DM-Upload- Allowed. * [b399fa3] Standards version 3.8.4 (no changes needed) -- Iustin Pop Sun, 18 Apr 2010 20:40:07 +0200 ratproxy (1.58+dfsg-2) unstable; urgency=low * Switch to source format 3.0 (quilt) * Standards version 3.8.3 (no changes needed) * Change section per the archive override -- Iustin Pop Fri, 25 Dec 2009 09:38:41 +0100 ratproxy (1.58+dfsg-1) unstable; urgency=low [ Iustin Pop ] * New Upstream Version * Removed Patrick from uploaders (per his request) * Update standards version to 3.8.2 (no changes needed) [ Guido Trotter ] * Set Dm-Upload-Allowed: yes -- Iustin Pop Tue, 28 Jul 2009 20:46:56 +0200 ratproxy (1.57+dfsg-1) unstable; urgency=low * New upstream release * Document how to use flare (the flash decompiler) in README.Debian, and patch the source to execute it only from path instead of first trying the current directory -- Iustin Pop Thu, 23 Apr 2009 00:01:34 +0200 ratproxy (1.56+dfsg-1) unstable; urgency=low * New upstream release (ITP was filled long time ago) * Add manpages for the two binaries * Standard version 3.8.1 (no changes) -- Iustin Pop Fri, 10 Apr 2009 13:17:00 +0200 ratproxy (1.51+dfsg-1) unstable; urgency=low * Initial release (Closes: #489278) * Repack upstream tarball to remove flare-dist which is closed-source -- Patrick Schoenfeld Sat, 05 Jul 2008 14:55:23 +0200 debian/rules0000755000000000000000000000431411362652255010257 0ustar #!/usr/bin/make -f # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 INSTDIR=$(CURDIR)/debian/ratproxy get-orig-source: set -ex; tempdir=$$(mktemp -d) && targetdir=$$(cd ..; pwd) && \ version=$$(uscan --no-download --dehs | \ sed -n 's/.*\(.*\)<\/upstream-version>.*/\1/p') && \ uscan --destdir $${tempdir} --force-download && \ cd $${tempdir} && tar xzf ratproxy_$${version}.orig.tar.gz && \ mv ratproxy ratproxy-$${version}.orig && \ rm -rf ratproxy-$${version}.orig/flare-dist \ ratproxy-$${version}.orig/flare && \ GZIP="--best --rsyncable" tar czf $$targetdir/ratproxy_$${version}+dfsg.orig.tar.gz ratproxy-$${version}.orig && \ rm -rf $${tempdir} build: build-stamp build-stamp: dh_testdir $(MAKE) touch $@ clean: dh_testdir dh_testroot rm -f build-stamp $(MAKE) clean dh_clean install: build dh_testdir dh_testroot dh_clean -k dh_installdirs # Add here commands to install the package into debian/ratproxy. #$(MAKE) DESTDIR=$(CURDIR)/debian/ratproxy install install -m 0755 ratproxy \ $(INSTDIR)/usr/bin/ratproxy install -m 0755 ratproxy-report.sh \ $(INSTDIR)/usr/bin/ratproxy-report install -m 0644 ratproxy-back.png \ $(INSTDIR)/usr/share/images/ratproxy/ratproxy-back.png install -m 0644 messages.list \ $(INSTDIR)/usr/share/ratproxy/messages.list install -m 0644 keyfile.pem \ $(INSTDIR)/usr/share/ratproxy/keyfile.pem # Build architecture-independent files here. binary-indep: build install # We have nothing to do by default. # Build architecture-dependent files here. binary-arch: build install dh_testdir dh_testroot dh_installchangelogs dh_installdocs dh_installexamples # dh_install # dh_installmenu # dh_installdebconf # dh_installlogrotate # dh_installemacsen # dh_installpam # dh_installmime # dh_python # dh_installinit # dh_installcron # dh_installinfo dh_installman dh_link dh_strip dh_compress dh_fixperms # dh_perl # dh_makeshlibs dh_installdeb dh_shlibdeps dh_gencontrol dh_md5sums dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install configure debian/watch0000644000000000000000000000023011362652255010221 0ustar version=3 opts="dversionmangle=s/\+dfsg//" \ http://code.google.com/p/ratproxy/downloads/list http://ratproxy.googlecode.com/files/ratproxy-(.*).tar.gz debian/ratproxy.10000644000000000000000000000610011362652255011144 0ustar .\" Originally generated by help2man 1.36. .TH RATPROXY "1" "April 2009" "ratproxy 1.56-beta" "User Commands" .SH NAME ratproxy \- a passive web application security assessment tool .SH SYNOPSIS .B ratproxy .nh [\fI-w logfile\fR] [\fI-v logdir\fR] [\fI-p port\fR] [\fI-d domain\fR] [\fI-P host:port\fR] [\fI-xtifkgmjscael2XCr\fR] .hy .SH DESCRIPTION Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. .SH OPTIONS .HP \fB\-w\fR logfile \- write results to a specified file (default: stdout) .HP \fB\-v\fR logdir \- write HTTP traces to a specified directory (default: none) .HP \fB\-p\fR port \- listen on a custom TCP port (default: 8080) .HP \fB\-d\fR domain \- analyze requests to specified domains only (default: all) .HP \fB\-P\fR host:port \- use upstream proxy for all requests (format host:port) .HP \fB\-r\fR \- accept remote connections (default: 127.0.0.1 only) .HP \fB\-l\fR \- use response length, not checksum, for identity check .HP \fB\-2\fR \- perform two, not one, page identity check .HP \fB\-e\fR \- perform pedantic caching headers checks .HP \fB\-x\fR \- log all XSS candidates .HP \fB\-t\fR \- log all directory traversal candidates .HP \fB\-i\fR \- log all PNG files served inline .HP \fB\-f\fR \- log all Flash applications for analysis (add \fB\-v\fR to decompile) .HP \fB\-s\fR \- log all POST requests for analysis .HP \fB\-c\fR \- log all cookie setting URLs for analysis .HP \fB\-g\fR \- perform XSRF token checks on all GET requests .HP \fB\-j\fR \- report on risky Javascript constructions .HP \fB\-m\fR \- log all active content referenced across domains .HP \fB\-X\fR \- disruptively validate XSRF, XSS protections .HP \fB\-C\fR \- try to auto\-correct persistent side effects of \fB\-X\fR .HP \fB\-k\fR \- flag HTTP requests as bad (for HTTPS\-only applications) .HP \fB\-a\fR \- indiscriminately report all visited URLs .SH EXAMPLES Example settings suitable for most tests: .TP 1) Low verbosity : \fB\-v\fR \fB\-w\fR \fB\-d\fR \fB\-lfscm\fR .TP 2) High verbosity : \fB\-v\fR \fB\-w\fR \fB\-d\fR \fB\-lextifscgjm\fR .TP 3) Active testing : \fB\-v\fR \fB\-w\fR \fB\-d\fR \fB\-XClfscm\fR .PP Multiple \fB\-d\fR options are allowed. Consult the documentation for more. .PP .SH AUTHOR ratproxy is written and maintained by Michal Zalewski .PP This manual page was generated via help2man by Iustin Pop for the Debian project (but may be used by others). .SH SEE ALSO .BR ratproxy-report "(1)" debian/compat0000644000000000000000000000000211362652255010373 0ustar 5 debian/README.Debian0000644000000000000000000000152611362652255011242 0ustar ratproxy for Debian =================== Limitations: ------------ The original source of includes flare, a flash decompiler. Unfortunately its not available in source, so we cannot ship it. This means that the analysis of SWF files by ratproxy will not work by default. In order to get flare working, you need to download flare, either from it website at http://www.nowrap.de/flare.html, or from the original source code of ratproxy at http://code.google.com/p/ratproxy/, and then put the flare binary in your path; this will allow ratproxy (when the -f and -v options are passed) to execute it. Also note that analysis of the flare binary shows that it tries to create a temporary file in the current directory, so make sure to change to a writable directory before running ratproxy. -- Iustin Pop Wed, 22 Apr 2009 23:34:40 +0200 debian/source/0000755000000000000000000000000011362652255010475 5ustar debian/source/format0000644000000000000000000000001411362652542011702 0ustar 3.0 (quilt) debian/control0000644000000000000000000000175111362652255010604 0ustar Source: ratproxy Section: web Priority: extra Maintainer: Iustin Pop Build-Depends: debhelper (>= 5), libssl-dev Standards-Version: 3.8.4 Homepage: http://code.google.com/p/ratproxy/ Vcs-Browser: http://git.debian.org/?p=collab-maint/ratproxy.git Vcs-Git: git://git.debian.org/git/collab-maint/ratproxy.git Package: ratproxy Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: passive web application security assessment tool A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. . Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more. debian/patches/0000755000000000000000000000000011362652255010624 5ustar debian/patches/report-messages.diff0000644000000000000000000000171511362652255014602 0ustar This patch makes the ratproxy-report script work when run not from the original source tree. Added on Fri, 10 Apr 2009 14:58:12 +0200, in 1.56+dfsg-1. The patch is a modified form of the patch available at http://code.google.com/p/ratproxy/issues/detail?id=11, which was written by adamsc@gmail.com. This customized version fixes the problem in the context of the debian packaging (where the messages.list file is installed under /usr/share/ratproxy, and not near the report script). Iustin Pop --- a/ratproxy-report.sh +++ b/ratproxy-report.sh @@ -37,6 +37,8 @@ exit 1 fi +MESSAGES=/usr/share/ratproxy/messages.list + test "$RAT_URLPREFIX" = "" || RAT_URLPREFIX="/$RAT_URLPREFIX/" # Output prologue... @@ -214,7 +216,7 @@ fi echo "" - grep -F "~$desc~" messages.list | cut -d'~' -f3 + grep -F "~$desc~" "$MESSAGES" | cut -d'~' -f3 echo "

" PREVDESC="$desc" debian/patches/report-image.diff0000644000000000000000000000136411362652255014055 0ustar This patch changes the report tool to point to the image as installed by the debian package, and not in the current directory. Not optimal as it uses file-paths, but it makes the report tool link properly to it. Added in 1.56+dfsg-1 by Iustin Pop on Fri, 10 Apr 2009 15:05:16 +0200. --- a/ratproxy-report.sh +++ b/ratproxy-report.sh @@ -50,7 +50,7 @@ debian/patches/flare-execute-from-cwd.diff0000644000000000000000000000075611362652255015733 0ustar This patch removes the execution of flare from the local directory, and only executes it from path. Since packaged ratproxy doesn't expect flare in the localdir, this is safer (IMHO). Wed, 22 Apr 2009 23:20:39 +0200 Iustin Pop --- a/ratproxy.c +++ b/ratproxy.c @@ -618,7 +618,6 @@ if (!(pid = fork())) { /* Flare is way too noisy, let's close stderr. */ close(2); - execl("./flare","flare",tmp,NULL); execlp("flare","flare",tmp,NULL); exit(1); } debian/patches/path-to-ssl-cert.diff0000644000000000000000000000215411362652255014566 0ustar Description: Load the ssl certificate from absolute location Currently ssl.c loads the ssl certificate from the local directory, which is fine for the compiled-from-source case but not for the packaged binaries. Bug: http://code.google.com/p/ratproxy/issues/detail?id=34 Author: Iustin Pop Last-Update: 2010-04-18 --- a/ssl.c +++ b/ssl.c @@ -44,6 +44,8 @@ #include "debug.h" #include "ssl.h" +#define SSLCERT_FILE "/usr/share/ratproxy/keyfile.pem" + _s32 ssl_cli_tap, /* Client traffic tap */ ssl_srv_tap; /* Server traffic tap */ @@ -143,10 +145,10 @@ if (!srv_ctx || !cli_ctx || !err) ssl_fatal("unable to create SSL CTX or BIO", err); - if (SSL_CTX_use_certificate_chain_file(cli_ctx,"keyfile.pem") != 1) + if (SSL_CTX_use_certificate_chain_file(cli_ctx, SSLCERT_FILE) != 1) ssl_fatal("certificate load failed", err); - if (SSL_CTX_use_PrivateKey_file(cli_ctx,"keyfile.pem",SSL_FILETYPE_PEM) != 1) + if (SSL_CTX_use_PrivateKey_file(cli_ctx,SSLCERT_FILE,SSL_FILETYPE_PEM) != 1) ssl_fatal("private key load failed", err); cli_ssl = SSL_new(cli_ctx); debian/patches/makefile-no-flare-check.diff0000644000000000000000000000104511362652255016007 0ustar This patch removes the flare warnings in the build process, as we know we're not shipping a working flare binary. Iustin Pop Wed, 22 Apr 2009 23:57:34 +0200 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ CFLAGS = -Wall -O3 -Wno-pointer-sign -D_GNU_SOURCE LDFLAGS = -lcrypto -lssl -all: $(PROGNAME) flare-check +all: $(PROGNAME) $(PROGNAME): $(PROGNAME).c http.c mime.c ssl.c http.h mime.h ssl.h nlist.h config.h debug.h types.h string-inl.h $(CC) $(PROGNAME).c -o $(PROGNAME) $(CFLAGS) http.c mime.c ssl.c $(LDFLAGS) debian/patches/series0000644000000000000000000000016611362652255012044 0ustar makefile-no-flare-check.diff flare-execute-from-cwd.diff report-image.diff report-messages.diff path-to-ssl-cert.diff debian/copyright0000644000000000000000000000533511362652255011136 0ustar This package was debianized by Patrick Schoenfeld on Fri, 04 Jul 2008 21:30:04 +0200. It was downloaded from http://code.google.com/p/ratproxy/ Upstream Author: Michal Zalewski Copyright: Copyright © 2007, 2008 by Google Inc. Copyright © 1990, 1993 The Regents of the University of California License: Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. License (for string-inl.h): Copyright (c) 1990, 1993 The Regents of the University of California. All rights reserved. This code is derived from software contributed to Berkeley by Chris Torek. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. On Debian systems, the complet text of the Apache License, Version 2.0 can be found in `/usr/share/common-licenses/Apache-2.0'. debian/ratproxy-report.10000644000000000000000000000242311362652255012461 0ustar .TH RATPROXY-REPORT "1" "April 2009" "ratproxy 1.56-beta" "User Commands" .SH NAME ratproxy-report \- report generator for the ratproxy tool .SH SYNOPSIS .BI ratproxy-report " ratproxy.log" .SH DESCRIPTION This is essentially a prettyprinter for ratproxy logs. It removes dupes, sorts entries within groups, then sorts groups base don highest priority within the group, and produces some nice HTML with form replay capabilities. .SH OPTIONS ratproxy-report takes no options, only the name of the ratproxy-generated log file, and displays the generated HTML file on standard output. .SH ENVIRONMENT The environment variable \fIRAT_URLPREFIX\fR can be used to specify an absolute URL prefix for the trace/decompile links, if available. Otherwise they will be referenced with relative links. If the generated report will be stored in a directory different from the parameter \fI-v\fR to \fBratproxy\fR, then you should set this variable to that directory. .SH EXAMPLES .in +4n .nf .RB "$" " ratproxy-report ratproxy.log >report.html" .fi .in .SH AUTHOR ratproxy is written and maintained by Michal Zalewski .PP This manual page was generated via help2man by Iustin Pop for the Debian project (but may be used by others). .SH SEE ALSO .BR ratproxy "(1)" debian/ratproxy.dirs0000644000000000000000000000006511362652255011751 0ustar usr/bin usr/share/images/ratproxy usr/share/ratproxy debian/ratproxy.manpages0000644000000000000000000000005311362652255012600 0ustar debian/ratproxy.1 debian/ratproxy-report.1 debian/docs0000644000000000000000000000002411362652255010044 0ustar doc/README doc/TODO debian/TODO.Debian0000644000000000000000000000035611362652255011052 0ustar - Clarify copyright of string-inl.h (File states that it is a simplified version of code originally shipping as BSD with Berkeley copyright, unsure who is the current copyright holder (is it modified by Michael Zalewski for example?)