Google releases Web 2.0 security tool

Google has released as open source a web application assessment tool, Ratproxy, that was designed to root out potential security flaws.

Separately, Google also released Browser Sync, a product designed for keeping multiple versions of Firefox synchronised, under an open-source licence.

Last month, Google said it would terminate support for Browser Sync, and this week the company open sourced the code for the product's client software in order to allow the developer community to continue to use and improve it, said Google developer Aaron Boodman in a blog post. "It would be great to see the server ported to Google App Engine, or support for Firefox 3 implemented," Boodman wrote.

Ratproxy is an audit system written internally and introduced last week by Michal Zalewski, a respected security researcher hired by Google almost a year ago to help lock down the company's own websites. The tool has been used at Google for unearthing problems such as cross-site script inclusion threats, insufficient cross-site request forgery defences, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information-leakage scenarios, according to Zalewski.

The proxy works passively by analysing existing, user-initiated traffic, and is particularly tuned for complex Web 2.0 environments, Zalewski said in a blog post.

"We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies," Zalewski wrote. He added that Ratproxy is intended to complement active crawlers and manual proxies, as well as other passive proxies.

The main advantage of Ratproxy is its focus on Web 2.0 applications, drawing on Google's experience with such applications, Zalewski said. For instance, it offers a number of advanced and unique checks, content-sniffing functions capable of distinguishing between stylesheets and Javascript code snippets, and the ability to take into account particular browser-related quirks and content-handling oddities, according to Zalewski's documentation for Ratproxy. The proxy can be used in a chain with third-party security testing proxies, he said.

Ratproxy currently supports Linux, FreeBSD, MacOS X and Windows, and is available from Google Code.

Google has come under increasing pressure in recent months to tighten its security strategy. Last month StopBadware.org, a site sponsored by Google, found that Google itself was one of the top five networks hosting malicious web pages, largely due to the popularity among attackers of Google-owned networks such as Blogger. The other four top-five networks were based in China.

Google admitted recently that the number of drive-by download sites listed in its typical search results has increased significantly over the past year.