Version 0.9.13

News

Core

• Faster socket communication!! Now client sockets are reused
• Big big changes on core modules, e.g. Watobo::Chats or Watobo::Findings.
• PassiveScanner - passive checks now run in background
• New DSL-like Plugin Style - digging into Metaprogramming ... check out WShell Plugin!

Modules

• XSS-NG supports "Parameter Prefetching" - using form fields of response as test parameters
• Hidden Field Spotter
• Improved boolean SQLi detection
• added some .NET Checks for well-known files, e.g. Trace.adx and Error Pages /w Stack-Trace
• XXE (Xml eXternal Entity) check
• Check html password fields for autocomplete attribute

Plugins

• SSL Checker now also shows the tested method (SSLv3, TLS, ..)
• WShell - Watobo Shell; With WShell you can execute ruby commands in the context of WATOBO. Very useful for advanced analysis, debugging purposes or simply to explore WATOBO.

GUI

• Parameter names in Table view are now automatically en-/decoded
• Right-Click on a plugin to get some information about it - only works on new plugins at the moment ...
• Introduced a new chat viewer with HTML highlighting (based on FXScintilla)
• ConversationTable: added 'space' hotkey to open "Edit Comment" dialog
• ConversationTable: added hotkeys for "goto url" navigation
• ChatViewer: xml/html content gets prettyfied for text- and html-viewer
• FindingsTree: added counter to finding class
• FindingsTree: memorize expanded nodes
• Conversation table filter now opens as a dialog and displays more information

Fixes

Core

• Bug in parsing multipart requests caused by incorrect boundary handling
• conversation text filter now works on responses without content-type header

Fuzzer

• fixed generator in fuzzer engine

GUI

• crash after selecting client certs
• no more swallowing a space-char at the end of a string when b64decoding with short-cuts

Plugins

• Catalog-Scanner: now all placeholders will be replaced
• SSLChecker now supports more methods and ciphers, incl. SSLv2

Passive Modules

• FormSpotter: now using nokogiri for parsing/extracting
  information

= Version 0.9.12 == NEW

• [Module] Siebel Checks: Enumeration of default apps and files, e.g. base.txt
• [Module] PassiveCheck filtering Domino DB names
• [GUI] added De-Select-All buttons to scan policy
• [GUI] finding details menu available at finding-class level

== Fixes

• crash when pasting data (Linux)
• crash on starting full scan dialog
• minor issue when adding a new db-path to catalog scanner plugin

= Version 0.9.11 == NEW

• [FileFinder] pimped the interface, added save-settings

== Fixes

• [ConversationTable] Request-/Resoponse View is updated when navigating with arrow-keys
• [INTERCEPOR] fixed bug in parsing intercepted responses

= Version 0.9.10 == Fixes

• fixed sqlmap temp directory

= Version 0.9.9 == NEW

• [Module] Time-based SQL injection module
• [Module] Rated XSS which gives a more accurate exploitability result
• [GUI] ConversationTable: values in coloumn Parameters are url-decoded
• [Plugin] WebCrawler - based on Mechanize
• [GUI] Manual Request Editor: Url is displayed in the window title
• [GUI] Menubar items are disabled if no project is defined
• [CORE] Create SSL certificates for each target on-the-fly, now you only have to trust the internal CA once
• [Interceptor] Rewrite/Inject Feature to Interceptor
• [CORE] added .yml file extension for chats, findings, logs, ...
• [Plugin] SQLmap - easy to use sqlmap interface
• [Interceptor] Transparent Proxy Feature - only available on Linux (depends on netfilter_queue)
• [CatalogScanner] added predefined database paths
• [CORE] general unzipping and unchunking of server responses

== Fixes

• CA Directory is now created in WATOBO working directory '.watobo'
• Fixed Crash on opening client-certificate dialog
• Improved Socket communication
• ConversationTable: GET and POST parameters are shown in the parameters coloumn
• TreeView-Pane: Show full conversation list when Findings tab is selected
• Fixed a bug in parsing post parameters
• QuickScan: double scanning each module
• the disclaimer.chk file now is written to .watobo
• some minor bugs

= Version 0.9.8 == NEW

• Ruby 1.9 Support - no more 1.8 don't even try it ;)
• WATOBO available as a Gem
• Reorganisation of WATOBO settings files.
• Reorganisation of WATOBO project.
• Introduced Framework capabilities
• Changed version numbering for Gem compatibility
• SSLChecker-Plugin: nicer gui, now you can scan a site which is not already in conversation list
• Conversation-Table: better search features, e.g. URL, Request or Response
• Chat-Viewer: added a 'save'-button to save the response's body to a file, e.g. save a flash file for further investigations
• Scanner: now follows 302-redirects - this option is only available via QuickScan
• GUI: purge (multiple) findings is possibel via FindingsTree

== Fixes

• interceptor reset-button
• Constant declarations
• lib/mixin/request_parser.rb: fixed file handling
• fixed pattern for detecting file upload fields
• optimized "tagless" view
• optimized lots of threading stuff, e.g. progress bars, log-windows, ...
• lib/qGui: changed progress_window

= Version 0.9.7 Revision 534 == NEW

• MasterPassword for encrypting Proxy- and WWW-Auth-Passwords
• Hotkey-Help: Press F1 to view all Hotkeys for the focused widget!!! Works in ManualRequestEditor, Interceptor, ChatViewers
• Interceptor: Intercept Filters, Editor, Hotkeys - almost complete rewrite!!!
• Passive Module: 'DOM XSS' - checks for javascript code which manipulates DOM and may be misused for XSS
• Passive Module: 'Detect One-Time-Tokens' - checks for parameters which may be used to prevent CSRF-Attacks
• ManualRequest Following Redirects Automatically (optional)
• ManualRequest: Added Hotkeys for 'send' (ctrl-enter) and transcoding ctrl-[shift]-b (base64), ctrl-[shift]-u (url)
• ManualRequest: new Transform 'Get -> Post'
• TableEditor: Added Hotkeys; ctrl-[shift]-b (base64), ctrl-[shift]-u (url), ctrl-enter (send request)
• Passive Module: 'Detect Code' - Now also checks for ASP-Snippets
• ConversationTable: added SSL-Icon
• TextView: added Match-Navigation for 'Highlight'- and 'Grep'-Filter
• One-Time-Token-Dialog: Target chat is also visible for OTT-pattern creation.
• WATOBO-Logo: watobo-48x48.png for nice desktop shortcuts/launchers ;)

== Fixes

• FullScan-Wizzard: Empty Scanlist
• Fixed Typo in lib/utils/response_hash.rb (SmartHash)
• Manual Request Editor: Add Parameter in TableView
• ConversationTable: Fixed Error Cutting Of Last Char On Copy
• ConversationTable: Now update 'comment' immediately in table
• Required BasicAuth will now be sent to browser
• Module SQL_Boolean: Adding a Finding produced an error
• FileFinder & CatalogScanner: 'Custom Error Patterns' are recognized
• TableEditor: Fixed Parsing Problem - appended parms instead of replacing
• Interceptor: Fixed handling of chunk-encoded server responses
• SmartHash: Fixed Reduction -> much faster and less false-positives on blindSQLi

= Version 0.9.6 Build 271 == Fixes

• Scanner: Scanner works without proxy

= Version 0.9.6 Build 270 == Fixes

• ProxyDialog: AddProxy-Crash
• Scanner: No Probe For Target If Proxy Is Set
• Session: Fixed NTLM-Authentication

= Version 0.9.6 !! NOTE !! Due to the import fix you can't import older WATOBO sessions!

== NEW

• General: Supports One-Time-Tokens (e.g. Anti-CSRF-Tokens)
• General: NTLM Authentication (Server and Proxy)
• New Plugin: FileFinder
• GUI: switch the icon and text size for lower screen resolution
• Manual Request Editor: Table-View for easier parameter manipulation

== !!! CONTRIBUTIONS !!! :)) Hans-Martin Muench contributed two active-check modules:

• modstatus.rb:
• crossdomain.rb:

== Minor Changes

• slightly improved SQL-Injection (Simple)
• now you can hide 404 and 302 in Sites Tree

== Fixes

• General: Fixed Import Problem ('inspect' data before YAML'izing)
• General: Fixed "limitation" of forwarding proxy port length 4 -> 5, wtf???
• General: Fixed EOF handling on socket operation
• Catalog Scan: now use forwarding proxy
• Interceptor: Fixed Drop and Discard

== Minor Fixes

• General: switched to unix style line breaks again * got lost somewhere ...
• General: fixed path reference for already tested directories in HTTP-Methods and Dir-Walker (reported by Hans-Martin Muench)
• General: fixed HashBang line in start_watobo.rb (reported by Achim Hoffmann)
• GUI: changed appearance of History
• Sites Tree: workaround for FXTreeList.findItem (bug?)
• GUI: now counters get reset when new project is started
  

= Version 0.9.5 == New

• PassThrough for large responses or special content-types (Interceptor/Proxy)
• Introduced Plugins
• Introduced Full logging of Scans
• Introduced Target-Scope
• Introduced Quick-Filter in Sites-Tree-View
• Introduced Scope-Filter-Option for conversation table
• Introduced Request-Transform (POST->GET) for Manual Requests
• New Plugin: Catalog-Scan
• New Plugin: SSL-Check

== Improvements/Bugfixes

• using YAML for saving settings
• speedup of session-import
• request/response-viewer: auto-reset on grep
• fixed hash-calculation for findings in passive checks
• fixed autoscroll not disable-able
• fixed passive module "cookie-options"
• fixed numRequests calculation in FuzzFile-Generator
• fixed url-shaping if parameter contains /https?/
• fixed button behaviour @interceptor

= Version 0.9.2

• NEW: History navigation (for Manual Requests Editor)
• NEW: Fuzzer Engine
• NEW: Differ usability improved
• NEW: WATOBO now can run on Windows, Linux and MAC
• FIX: fixed table-right-click crash
• MISC: Redesign of chat-table-menu
• MISC: Improved checks for recognizing proxy settings

= Version 0.9.1-96

• load fox16 problem fixed - hope not too many user were hit by this!
• auto-save of proxy settings
• fixed some issues with the fuzzer

= Version 0.9.1-95

• fixed hash calculation for better blind-sql checks
• added Differ for diffing chats (very nice)
• added HexViewer (no editor yet)
• open session/project by double clicking
• response get cut off after