InfoQ

News

Google Releases Open Source Web Application Security Assessment Tool

Posted by Gavin Terrill on Jul 02, 2008 06:55 PM

Community
Java,
.NET,
Architecture,
Ruby
Topics
Security
Tags
Cross-Site Scripting

Google has announced the open source release of one of their internal security tools "ratproxy". Ratproxy is used for passively assessing web application security:

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

As a passive tool, ratproxy monitors the interaction between the browser and the web application. According to the documentation, this offers several advances over traditional methods:

  • No risk of disruptions
  • Low effort, high yield
  • Preserved control flow of human interaction
  • WYSIWYG data on script behavior
  • Easy process integration

In comparing ratproxy to other security audit tools (such as WebScarab, Paros, Burp, ProxMon, and Pantera), creator Michal Zalewski suggests:

It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

Ratproxy (1.50 beta) (164 Kb) is available for Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

Related Sponsor

Red Gate Software makes ingeniously simple tools for over 500,000 SQL Server and .NET professionals.

No comments

Watch Thread Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.