RatProxy – Web Application Audit Tool From Google « VT's Tech Blog

« Creating Scalable Web sites using Amazon EC2 and Scalr

Zemanta – More Platform Coverage »

RatProxy – Web Application Audit Tool From Google
Security
4th July 2008 -By Vinu Thomas
After HP & Microsoft’s security tool, Google’s gotten onto distribuing a Security Audit tool. Here’s Ratproxy which is a passive web security audit tool based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
Some of the key features ( from Ratproxy’s documentation) :
- No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.
- Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner – yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.
- Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.
- WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.
- Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.
Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.
Links:
Ratproxy @ Google Code
RatProxy Documentation
Related articles by Zemanta
Leave a Reply
Click here to cancel reply.
Name (required)
Mail (will not be published) (required)
Website

Notify me of follow-up comments by email.
Notify me of new posts by email.

About the Author
Vinu Thomas
Vinu Thomas is the editor of My Portable World and VT's Tech Blog. As a Technical Architect, he works on PHP and opensource technologies by day and is a mobile enthusiast and blogger. You can follow him on Twitter @vinuthomas and Google+
Syndicate
Subscribe to this site's RSS feed.
Desktop Reader Bloglines Google Live Netvibes Newsgator Yahoo! What's This?
Subscribe by Email
If you're not into RSS feeds, and want to get the latest posts be email, fill in this form, and Google will send you an email everytime a new post is up
Enter your email address:
Sponsors