Michal Zalewski, on the Google Security blog, announced that what was once an internal tool, is now open source and free for everybody to use. Lovingly called, ratproxy, the tool started as internal assessment tool at Google, it passively analyzes browser-driven interactions with web property and offers details about flaws and areas of concern. While not a cure-all single analyzation tool, ratproxy adds another layer of scanning and reporting that many should find useful.
Google releases a passive scanner to help with web security. (IMG:J.Anderson)
“The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more,” Zalewski said.
In fact, reading the documentation provided, you can see there is quite a bit to this tool. Some of the tests it performs include XSS attack vectors, both confirmed and suspected, JavaScript, OGNL, Java, SQL statements, file inclusion patterns, directory indexes, server errors, as well as cross-domain trust relationships that are potentially flawed.
Because it is passive, there is little risk of disruptions as it “…does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms,” the documentation reads.
The complete documentation is here:http://code.google.com/p/ratproxy/wiki/RatproxyDoc
With all that it does, why would Google give this away?
“We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research,” Zalewski added.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story