InfoQ

News

Google Releases Open Source Web Application Security Assessment Tool

Posted by Gavin Terrill on Jul 02, 2008 06:55 PM

Community
Java,
.NET,
Architecture,
Ruby
Topics
Security
Tags
Cross-Site Scripting

Google has announced the open source release of one of their internal security tools "ratproxy". Ratproxy is used for passively assessing web application security:

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

As a passive tool, ratproxy monitors the interaction between the browser and the web application. According to the documentation, this offers several advances over traditional methods:

  • No risk of disruptions
  • Low effort, high yield
  • Preserved control flow of human interaction
  • WYSIWYG data on script behavior
  • Easy process integration

In comparing ratproxy to other security audit tools (such as WebScarab, Paros, Burp, ProxMon, and Pantera), creator Michal Zalewski suggests:

It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.

Ratproxy (1.50 beta) (164 Kb) is available for Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

RelatedVendorContent

JProbe Freeware – Eclipse Plugin for efficient memory analysis and diagnosis

Guide to Calculating ROI with Terracotta Open Source JVM Clustering

IBM software architect eKit: Grady Booch podcast, whitepapers, articles

The Key to SOA Governance: Understanding the Essence of Business

Spring App Platform, Java Concurrency/Multicore, Eclipse Mylyn and more @ QCon SF Nov 19-21

No comments

Reply

Exclusive Content

Using Ruby Fibers for Async I/O: NeverBlock and Revactor

Ruby 1.9's Fibers and non-blocking I/O are getting more attention - we talked to Mohammad A. Ali of the NeverBlock project and Tony Arcieri of the Revactor project.

Agile and Beyond - The Power of Aspirational Teams

Tim Mackinnon talks about the aspirations behind the Agile principles and practices, the desire to become efficient, to write quality code which does not end up being thrown away.

Concurrency: Past and Present

Brian Goetz discusses the difficulties of creating multithreaded programs correctly, incorrect synchronization, race conditions, deadlock, STM, concurrency, alternatives to threads, Erlang, Scala.

ActionScript 3 for Java Programmers

Often the hardest part of changing technologies is language syntax differences. This new article provides Java developers with a transition guide to Actionscript which forms the foundation of Flex.

Neal Ford On Programming Languages and Platforms

Neal Ford talks about having multiple languages running on one of the two major platforms: Java and .NET. He also presents the advantages offered by Ruby compared to static languages like Java or C#.

Future Directions for Agile

David Anderson talks about the history of Agile, the current status of it and his vision for the future. The role of Agile consists in finding ways to implement its principles.

Nick Sieger on JRuby

Nick Sieger talks about the future of JRuby, Java Integration, and his work on JEE deployment tools for Ruby on Rails like Warbler.

Rustan Leino and Mike Barnett on Spec#

Rustan Leino and Mike Barnett of Microsoft Research discuss the technology in Spec# and its futures.