Google develops web app security tool

Google develops web app security tool

Summary: Search giant is developing its own fuzzing tool code-named 'Lemon' to test its web applications, but has no immediate plans to release it

TOPICS: Security

Google is in the process of developing a security tool to automatically find cross-site scripting holes in its web applications.

Code-named "Lemon", which Google says is derived from the term for a defective product, the tool works by fuzz testing or fault-injection, which brute-force tests by supplying random data inputs that are designed to trigger and expose flaws in web applications. Lemon is a black box tester, which assumes no knowledge of the internal structure of an application or device.

According to Google security team member Srinath Anantharaju, Lemon has been developed to detect cross-site scripting (XXS) vulnerabilties, but Google is "in the process of adding new attack vectors to improve the tool against [other] known security problems".

"Our vulnerability testing tool enumerates a web application's URLs and corresponding input parameters," wrote Anantharaju in the Google online security blog. "It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyses the resulting responses for evidence of such vulnerabilities."

XSS attacks generally work by injecting code into web applications for malicious purposes. An attacker can inject code into a web application, which is then executed in a user's browser session. Hackers can also compromise users by sending an email with a crafted malicious URL that, when clicked on, loads a webpage and injected script that executes in a browser session.

Google plans to use the tool to test its own web applications, and will not be releasing Lemon in the near future as it is "highly customised" for those applications, according to Anantharaju. The Google security team evaluated commercially available fuzzers, but felt the company's "specialised needs could be served best by developing our own tools".

Various open-source fuzzers are available online, while commercial fuzzers are also available.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Finally something that I am truly proud about google

    Amazingly, I see that Google's new 'lemon' is obviously focussing on attacks that can happen from the very fringes of the http realm, html and xml at its root... I hope something like this makes the web a whole lot safer, in-spite of the many dangers that lurk in the shadows.