Government // Enterprise Architecture
News
7/7/2008
07:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Google Makes Application Security Tool Available As Open Source

Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it.

Google has given its application security assessment tool that it uses internally its independence. It's made Ratproxy open source code to help developers of Web applications assess their code's security profile.

Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it. In a July 1 blog posting, Zalewski said Google had made Ratproxy available for free download at http://code.google.com/p/ratproxy/ as open source code . Unlike some security tools that determine the security of an application by firing test penetrations, Ratproxy operates passively, inspecting the application for security exposures.

Zalewski said in his blog that it operates in a "hands off" and "non-disruptive manner." It can do content sniffing, distinguishing between Style Sheets, a standard for building Web site pages, and malicious JavaScript. It can look for snippets of malicious JavaScript buried in content, even though the differences between legitimate code and intruder code can be subtle.

It can do on-the-fly ActionScript decompilation, or a dissection of the Adobe's Flash scripting code designed to run in the end user's Flash Player, to make sure it contains no hidden, intrusive actions.

It is designed to analyze the actions of a user's browser on a Web site and automatically pinpoint and annotate areas of concern or potential flaws, where an intruder might find a way to take advantage of the user-initiated actions allowed on the page, wrote Zalewski. When it finds a suspect application code, it can produce a "very lightweight test" of it that will indicate whether it's a vulnerability. It reports on specific areas of concern, he wrote.

Ratproxy attempts to prevent cross site scripting, where an attacker places JavaScript or other code on a Web site that performs actions with other site visitors other than the one intended, whether it's redirecting them to a dummy site or capturing their personal information.

The tool watches out for mixed content in HTTPS or secure HTTP environments and recognizes it when it is a disallowed feature for an HTTPS application.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.