The Google security team has released a free, open-source Web app security assessment tool capable of flagging vulnerabilities and potential security threats in Internet-facing applications.
The tool, called Ratproxy, is described as a passive Web application security audit tool designed to analyze legitimate, browser-driven interactions with tested Web applications -- to automatically pinpoint, annotate, and prioritize potential flaws or areas of concern on the fly.
Ratproxy was created by Michal Zalewsky (left), the browser hacking guru who joined the search engine giant last July.
According to Zalewski, Ratproxy is meant to complement active crawlers and manual proxies currently used to test complex Web 2.0 applications.
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.
Last but not least, if you are undecided, the proxy may be easily chained with third-party security testing proxies of your choice.
This isn't the first open-source security tool to come out of Google's security team. Last year, the company released a fuzz testing tool that was used internally to find multiple vulnerabilities in Internet-critical software products.
The fuzzer, called Flayer, is an analysis and flow alteration tool that has been used to find errors in real software. In the past year, results from Flayer has led to the discovery of security holes in several open-source products, including OpenSSH, OpenSSL, LibTIFF and libPNG.