Google develops web app security tool

Summary:Search giant is developing its own fuzzing tool code-named 'Lemon' to test its web applications, but has no immediate plans to release it

Google is in the process of developing a security tool to automatically find cross-site scripting holes in its web applications.

Code-named "Lemon", which Google says is derived from the term for a defective product, the tool works by fuzz testing or fault-injection, which brute-force tests by supplying random data inputs that are designed to trigger and expose flaws in web applications. Lemon is a black box tester, which assumes no knowledge of the internal structure of an application or device.

According to Google security team member Srinath Anantharaju, Lemon has been developed to detect cross-site scripting (XXS) vulnerabilties, but Google is "in the process of adding new attack vectors to improve the tool against [other] known security problems".

"Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters," wrote Anantharaju in the Google online security blog. "It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyses the resulting responses for evidence of such vulnerabilities."

XSS attacks generally work by injecting code into web applications for malicious purposes. An attacker can inject code into a web application, which is then executed in a user's browser session. Hackers can also compromise users by sending an email with a crafted malicious URL that, when clicked on, loads a webpage and injected script that executes in a browser session.

Google plans to use the tool to test its own web applications, and will not be releasing Lemon in the near future as it is "highly customised" for those applications, according to Anantharaju. The Google security team evaluated commercially available fuzzers, but felt the company's "specialised needs could be served best by developing our own tools".

Various open-source fuzzers are available online, while commercial fuzzers are also available.

Topics: Security


Tom is a technology reporter for, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.