Meet ratproxy, our passive web security assessment tool

Tuesday, July 1, 2008 4:49 PM



We're happy to announce that we've just open-sourced ratproxy, a passive web application security assessment tool that we've been using internally at Google. This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more. (A more-detailed discussion of these features and information on securing vulnerable applications is provided here.) Compared with more-traditional active crawlers, or with fully manual request inspection and modification frameworks, this approach offers several significant advantages in terms of minimized overhead; marginalized risk of site disruptions; high coverage of complex, client-driven application states in web 2.0 solutions; and insight into dynamic cross-domain trust models.

We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies. We believe that responsible security research brings a net overall benefit to the safety of the Web as a whole, and have released this tool explicitly to support that kind of research.

To download the proxy, please visit this page. Also, please keep in mind that the proxy is designed solely to highlight interesting patterns in web applications, and a further analysis by a security professional is often required to interpret the results and their significance for the tested platform.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

8 comments:

Making Money Online Jobs said...
This comment has been removed by a blog administrator.
unwiredbrain said...

Spammer >:-@

Dinesh Venkatesan said...

This is an excellent initiative. Hats off!!

tomsavage said...

Great product. WHere can I find information on the current status of Google Lemon? Even Google returns no current info.
Thanks.

praveenboss said...

good work ... great goin... visit mine...link1

Diego said...

Using on cywin. Really nice tool.

mirç, mirc, mırc, mirc addon, mirc script, unreal, tcl, bot, oyun, mirc download, said...
This comment has been removed by a blog administrator.
ttmp said...

I guess this was the outcome of the Google Lemon project?