July 1st, 2008
Google ships open-source Web security assessment tool
The Google security team has released a free, open-source Web app security assessment tool capable of flagging vulnerabilities and potential security threats in Internet-facing applications.
The tool, called Ratproxy, is described as a passive Web application security audit tool designed to analyze legitimate, browser-driven interactions with tested Web applications — to automatically pinpoint, annotate, and prioritize potential flaws or areas of concern on the fly.
Ratproxy was created by Michal Zalewsky (left), the browser hacking guru who joined the search engine giant last July.
According to Zalewski, Ratproxy is meant to complement active crawlers and manual proxies currently used to test complex Web 2.0 applications.
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.
…It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.
Last but not least, if you are undecided, the proxy may be easily chained with third-party security testing proxies of your choice.
[ SEE: Google’s anti-malware team comes out of the shadows ]
Currently in beta, Ratproxy (see source code and screenshot) is available on Linux, *BSD, MacOS X, and Windows (Cygwin).
This isn’t the first open-source security tool to come out of Google’s security team. Last year, the company released a fuzz testing tool that was used internally to find multiple vulnerabilities in Internet-critical software products.
The fuzzer, called Flayer, is an analysis and flow alteration tool that has been used to find errors in real software. In the past year, results from Flayer has led to the discovery of security holes in several open-source products, including OpenSSH, OpenSSL, LibTIFF and libPNG.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
