Google Makes Application Security Tool Available As Open Source
Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it.
Google has given its application security assessment tool that it uses internally its independence. It's made Ratproxy open source code to help developers of Web applications assess their code's security profile.
Ratproxy was developed by Google security expert Michl Zalewski, who will continue to help maintain it. In a July 1 blog posting, Zalewski said Google had made Ratproxy available for free download at http://code.google.com/p/ratproxy/ as open source code . Unlike some security tools that determine the security of an application by firing test penetrations, Ratproxy operates passively, inspecting the application for security exposures.
More Internet Insights
White Papers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
Reports
- How Google+, Facebook Impact Corporate Strategy: Social Media and IT at a Crossroads
- HTML5: Poised to Give “Rich” Rivals a Run for Their Money
Webcasts
- Maximize ROI with Database Consolidation onto Private Clouds
- Effective IT Inventory and Asset Management: From Quagmire to Quick Fix
Zalewski said in his blog that it operates in a "hands off" and "non-disruptive manner." It can do content sniffing, distinguishing between Style Sheets, a standard for building Web site pages, and malicious JavaScript. It can look for snippets of malicious JavaScript buried in content, even though the differences between legitimate code and intruder code can be subtle.
It can do on-the-fly ActionScript decompilation, or a dissection of the Adobe's Flash scripting code designed to run in the end user's Flash Player, to make sure it contains no hidden, intrusive actions.
It is designed to analyze the actions of a user's browser on a Web site and automatically pinpoint and annotate areas of concern or potential flaws, where an intruder might find a way to take advantage of the user-initiated actions allowed on the page, wrote Zalewski. When it finds a suspect application code, it can produce a "very lightweight test" of it that will indicate whether it's a vulnerability. It reports on specific areas of concern, he wrote.
Ratproxy attempts to prevent cross site scripting, where an attacker places JavaScript or other code on a Web site that performs actions with other site visitors other than the one intended, whether it's redirecting them to a dummy site or capturing their personal information.
The tool watches out for mixed content in HTTPS or secure HTTP environments and recognizes it when it is a disallowed feature for an HTTPS application.
Related Reading
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
|
T-Shirt Giveaway: Each week we're selecting one great comment from our readers. The author of the comment will receive an InformaitonWeek Community t-shirt. So get posting! |
Subscribe to RSSResource Links
This Week's Issue
Technology Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Resource
Download this whitepaper and find out how to easily manage web content by categorizing it into a discrete number of categories.
Learn More
