Google has announced the open source release of one of their internal security tools "ratproxy". Ratproxy is used for passively assessing web application security:
The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.
As a passive tool, ratproxy monitors the interaction between the browser and the web application. According to the documentation, this offers several advances over traditional methods:
- No risk of disruptions
- Low effort, high yield
- Preserved control flow of human interaction
- WYSIWYG data on script behavior
- Easy process integration
In comparing ratproxy to other security audit tools (such as WebScarab, Paros, Burp, ProxMon, and Pantera), creator Michal Zalewski suggests:
It is designed specifically to deliver concise reports that focus on prioritized issues of clear relevance to contemporary web 2.0 applications, and to do so in a hands-off, repeatable manner. It should not overwhelm you with raw HTTP traffic dumps, and it goes far beyond simply providing a framework to tamper with the application by hand.
Ratproxy (1.50 beta) (164 Kb) is available for Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.