We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,145 News Articles

Google releases free web security tool

Ratproxy tests security of web-based apps

Google has made Ratproxy, a tool used for testing the security of web-based applications, available for free.

Released under an Apache 2.0 software licence, Google's internal tool looks for a variety of coding problems in web applications, such as errors that could allow a cross-site scripting attack or cause caching problems.

"We decided to make this tool freely available as open source because we feel it will be a valuable contribution to the information security community, helping advance the community's understanding of security challenges associated with contemporary web technologies," said Google's Michal Zalewski in a company blog.

Ratproxy, released as version 1.51 beta, is quick-and-less intrusive, than other scanners in that it is passive and does not generate a high volume of attack-simulating traffic when running, Zalewski said. Active scanners can cause problems with application performance.

The tool sniffs content and can pick out snippets of JavaScript from stylesheets. It also supports Secure Socket Layer (SSL) scanning, among other features.

Since it runs in a passive mode, Ratproxy highlights areas of concern that "are not necessarily indicative of actual security flaws".

"The information gathered during a testing session should be then interpreted by a security professional with a good understanding of the common problems and security models employed in web applications," Zalewski added.

Code licensed under the Apache 2.0 licence may be incorporated in derivative works, including commercial ones, but the origin of the code must be acknowledged.

Weak web-application security continues to embarrass companies, potentially causing the loss of customer or financial data.

A 2006 survey by the Web Application Security Consortium found that almost 86 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26 percent were vulnerable to SQL injection and 16 percent had other faults that could lead to data loss.

As a result, security vendors have moved to fill the need for better security tools, with large technology companies acquiring smaller, specialised companies in the field.

In June 2007, IBM bought Watchfire, a company that focused on web application vulnerability scanning, data protection and compliance auditing. Two weeks later, HP said it would buy SPI Dynamics, a rival of Watchfire whose software also looks for vulnerabilities in web applications as well as performing compliance audits.

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews


IDG UK Sites

6 cheapest 4K TVs in the UK 2014: Get a UHD telly without breaking the bank

IDG UK Sites

Apple MacBook Air (11-inch, 256GB, Early 2014) lab tests and benchmarks

IDG UK Sites

How to stop your parents opening and responding to phishing emails

IDG UK Sites

Google to ship first Project Ara developer boards in July