Google uses Lemon to find holes in apps

Google is working on a security tool -- codenamed Lemon -- to detect vulnerabilities in its Web applications.
Written by Tom Espiner, Contributor on

Google is working on a security tool -- codenamed Lemon -- to detect vulnerabilities in its Web applications.

The tool -- the name of which Google says is derived from the term for a defective product works by fuzz testing or fault-injection, which brute-force tests by supplying random data inputs that are designed to trigger and expose flaws in Web applications. Lemon is a black box tester, which assumes no knowledge of the internal structure of an application or device.

According to Google security team member Srinath Anantharaju, Lemon has been developed to detect cross-site scripting (XXS) vulnerabilties, but Google is "in the process of adding new attack vectors to improve the tool against [other] known security problems".

"Our vulnerability testing tool enumerates a Web application's URLs and corresponding input parameters," wrote Anantharaju in the Google online security blog. "It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyses the resulting responses for evidence of such vulnerabilities."

XSS attacks generally work by injecting code into Web applications for malicious purposes. An attacker can inject code into a Web application, which is then executed in a user's browser session. Hackers can also compromise users by sending an email with a crafted malicious URL that, when clicked on, loads a webpage and injected script that executes in a browser session.

Google plans to use the tool to test its own Web applications, and will not be releasing Lemon in the near future as it is "highly customised" for those applications, according to Anantharaju. The Google security team evaluated commercially available fuzzers, but felt the company's "specialised needs could be served best by developing our own tools".

Various open-source fuzzers are available online, while commercial fuzzers are also available.

Tom Espiner reported for ZDNet UK from London

Editorial standards