For a French translation of this page, please visit Kate Bondareva or Natalie Harmann's Web sites.

It’s always good to have an extra set of eyes. Watcher is a plugin for the free Fiddler HTTP proxy that passively audits a web application to find security bugs and compliance issues automatically. Passive detection means it’s safe for production use. It acts as an assistant to the developer, or pen-tester, by quickly identifying issues that commonly lead to security problems in web apps. Integrate it into your test passes to achieve more coverage of security testing goals.

You can read more about it at Microsoft's SDL blog, and Russ McRee's Toolsmith column.

Watcher has been released under Open Source license on Codeplex. Download Watcher security tool from codeplex.

Watcher is simple to use and requires almost no overhead. The screenshot below shows the main configuration screen. To get started with Watcher, simply 'enable' it and start exploring your Web application using any browser. Set the 'origin domain' to limit findings to just your domain.

Watcher Configuration

The next screenshot shows the check configuration screen where you enable and disable the checks you're interested in. Some checks have their own options for reducing noise, or for making them more accurate and less prone to false positives. This screen also shows each check's mapping to a standards compliance requirement.

Watcher Checks

The screenshot below shows the results pane, where Watcher records all findings. From here you can jump to the details of any session request/response to further inspect headers and body. You can also selectively remove results, filter them, or export them to HTML, XML, or Team Foundation Server work items.

Watcher Results