Google ships open-source Web security assessment tool

Summary:The Google security team has released a free, open-source Web app security assessment tool capable of flagging vulnerabilities and potential security threats in Internet-facing applications.The tool, called Ratproxy, is described as a passive Web application security audit tool designed to analyze legitimate, browser-driven interactions with tested Web applications -- to automatically pinpoint, annotate, and prioritize potential flaws or areas of concern on the fly.

Google ships open-source Web security assessment tool
The Google security team has released a free, open-source Web app security assessment tool capable of flagging vulnerabilities and potential security threats in Internet-facing applications.

The tool, called Ratproxy, is described as a passive Web application security audit tool designed to analyze legitimate, browser-driven interactions with tested Web applications -- to automatically pinpoint, annotate, and prioritize potential flaws or areas of concern on the fly.

Ratproxy was created by Michal Zalewsky (left), the browser hacking guru who joined the search engine giant last July.

According to Zalewski, Ratproxy is meant to complement active crawlers and manual proxies currently used to test complex Web 2.0 applications.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

...It features a sophisticated content-sniffing functionality capable of distinguishing between stylesheets and Javascript code snippets, supports SSL man-in-the-middle, on the fly Flash ActionScript decompilation, and even offers an option to confirm high-likelihood flaw candidates with very lightweight, a built-in active testing module.

Last but not least, if you are undecided, the proxy may be easily chained with third-party security testing proxies of your choice.

[ SEE: Google’s anti-malware team comes out of the shadows ]

Currently in beta, Ratproxy (see source code and screenshot) is available on Linux, *BSD, MacOS X, and Windows (Cygwin).

This isn't the first open-source security tool to come out of Google's security team.  Last year, the company released a fuzz testing tool that was used internally to find multiple vulnerabilities in Internet-critical software products.

The fuzzer, called Flayer, is an analysis and flow alteration tool that has been used to find errors in real software. In the past year, results from Flayer has led to the discovery of security holes in several open-source products, including OpenSSH, OpenSSL, LibTIFF and libPNG.

Topics: Google, Browser, CXO, Open Source, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.