VT's Tech Blog

A Tech Discovery Blog on PHP, Ajax, Security and Social Media.

  • General Stuff
  • Linux
  • Programming Programming Stuff
    • Ajax
    • Cloud Computing
    • CSS
    • Databases
    • HTML5
    • Interoperability
    • Javascript
    • PHP
    • Security
    • Techniques
    • Web Development
  • Services
  • Sites Useful Sites
  • Software
    • Games
    • Scripts
    • Symbian

Stay Updated: Posts | Comments

  • Home
  • About
  • Archives
  • Sitemap
« Creating Scalable Web sites using Amazon EC2 and Scalr
Zemanta – More Platform Coverage »
  • RatProxy – Web Application Audit Tool From Google

    Security
    4th July 2008 -By Vinu Thomas

    After HP & Microsoft’s security tool,  Google’s gotten onto distribuing a Security Audit tool. Here’s Ratproxy which is a passive web security audit tool based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

    Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

    Some of the key features ( from Ratproxy’s documentation) :

    • No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.
    • Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner – yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.
    • Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.
    • WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.
    • Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.

    Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments.

    Links:

    Ratproxy @ Google Code
    RatProxy Documentation

    Related articles by Zemanta
    • ratproxy: Rat out those security issues in your Web app
    • Google RatProxy looks for cross-site flaws
    • Ratproxy: Open Source Site Security by Google
    • Google gives away free Web app security scanner
    Zemanta Pixie

  • Leave a Reply

    Click here to cancel reply.


Copyright © - VT's Tech Blog

 

  • About the Author

    Vinu Thomas

    Vinu Thomas is the editor of My Portable World and VT's Tech Blog. As a Technical Architect, he works on PHP and opensource technologies by day and is a mobile enthusiast and blogger. You can follow him on Twitter @vinuthomas and Google+

    • Syndicate

      RSS feed

      Subscribe to this site's RSS feed.

      Desktop Reader Bloglines Google Live Netvibes Newsgator Yahoo! What's This?
    • Subscribe by Email

      If you're not into RSS feeds, and want to get the latest posts be email, fill in this form, and Google will send you an email everytime a new post is up
      Enter your email address:
    • Sponsors