[Owasp-delhi] Google opens up RatProxy

Soi, Dhruv dhruv.soi at owasp.org
Wed Jul 9 00:23:05 EDT 2008


Google developed a Web page vulnerability sniffer application for its own
internal use, and called it RatProxy <http://code.google.com/p/ratproxy/> .
It is described as:

A semi-automated, largely passive web application security audit tool,
optimized for an accurate and sensitive detection, and automatic annotation,
of potential problems and security-relevant design patterns based on the
observation of existing, user-initiated traffic in complex web 2.0
environments.

It is capable of detecting unsecured data channels, cross-site scripting
flaws, and high-risk code that references data from outside domains. It even
prioritizes detected issues for you. It supports FreeBSD, Linux-based, and
MacOS X environments, and even the MS Windows Unix-emulation environment,
Cygwin, according to the information on the RatProxy homepage at Google
Code.

As of this month, RatProxy is publicly available under the terms of the
Apache License 2.0 <http://www.apache.org/licenses/LICENSE-2.0> , a Copyfree
<http://copyfree.org/> , Free Software
<http://www.gnu.org/philosophy/license-list.html> , and Open Source
<http://www.opensource.org/licenses/category>  license. Yes, RatProxy is now
open source software, by every major definition.

Google's hope seems to be that Web developers will use the tool to help
secure their sites, in particular when using increasingly popular cross-site
content aggregation Website design techniques. As a sample test results
screenshot <http://ratproxy.googlecode.com/files/ratproxy-screen.png>
demonstrates, RatProxy output is well-organized and full of helpful
information. It's a tool I will personally use in the future.

You can download it directly from the RatProxy project homepage as a source
tarball, and as a Google Code project you can even get an svn checkout
<http://code.google.com/p/ratproxy/source/checkout>  if you like.

RatProxy is far from the only such tool in existence - it is not a new idea.
In fact, the fairly comprehensive wiki documentation
<http://code.google.com/p/ratproxy/wiki/RatproxyDoc>  for RatProxy lists a
few alternative tools, in case you're interested in trying out the
"competition". The documentation also makes a good case for why RatProxy
isn't just redundant and ignorable, however. Being an open source tool, and
one developed for in-house use by a very high profile Web application
service provider with an excellent security reputation, RatProxy is sure to
remain quite relevant and useful for some time to come.

Of course, such tools are just a way to make things a little easier. They
tend to be useful only for identifying very limited selections of
vulnerabilities, and should not be considered a magic wand for discovering
and fixing software vulnerabilities. Use a tool like RatProxy, by all means,
but when you're done with it and have fixed all the identified
vulnerabilities, you should still go over the Website source with a
fine-toothed comb.

There is no substitute for diligence and intelligent analysis.

Source: http://blogs.techrepublic.com.com/security/?p=491
<http://blogs.techrepublic.com.com/security/?p=491&tag=nl.e011> &tag=nl.e011

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20080709/110befe9/attachment.html 


More information about the Owasp-delhi mailing list