Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Gives Away Web App Security Tool

Posted by timothy on from the to-whom-it-may-concern dept.

CWmike writes "Google has released for free one of its internal tools used for testing the security of Web-based applications. Ratproxy, released under an Apache 2.0 software license, looks for a variety of coding problems in Web applications. A 2006 survey by the Web Application Security Consortium found that 85.57 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26.38 percent were vulnerable to SQL injection and 15.70 percent had other faults that could lead to data loss."

30 comments

  1. Proving once again... by Enderandrew · · Score: 1

    ...despite all the haters, that Google certainly isn't evil.

    Thanks!

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:Proving once again... by Anonymous Coward · · Score: 1, Informative

      Or just proving that there's a lot of developers at Google that aren't evil.
      A corporation exists for the benefit of it's shareholders. As long as the shareholders interests are honorable, the company will stay that way. When Shareholder interest moves focus to maximizing profit "Do no evil" becomes a nice catchphrase.

      Everything is evil, just watch me if I had the same opportunity...

    2. Re:Proving once again... by Sta7ic · · Score: 1

      Surrre. What were they using it for before they released it?

    3. Re:Proving once again... by Anonymous Coward · · Score: 0

      ...despite all the haters, that Google certainly isn't evil.

      As many people sitting in Chinese prisions can certainly attest to.

      "DUNT BE TEH EVEL, UNLES IT OOTSIDE TEH US OF TEH A!!!11!!"

    4. Re:Proving once again... by Anonymous Coward · · Score: 0

      Sounds like a group of lolcats...

    5. Re:Proving once again... by Anonymous Coward · · Score: 0

      maybe we should send them some cheezburgers

    6. Re:Proving once again... by Anonymous Coward · · Score: 0

      how many of the *haters* are really other Corporations in disguise paying people to say shit about Google? It's not like munchkins haven't been around before.

    7. Re:Proving once again... by RiotingPacifist · · Score: 1

      DO google pass on failed search attempts? I thought that they simply blocked certain keywords completely meaning that people searching for that stuff are probably safer than if they found the results.

      --
      IranAir Flight 655 never forget!
  2. Works great by tcopeland · · Score: 5, Informative

    Just run it with "-xX" and see what it finds in terms of XSS vulnerabilities... I used it this afternoon on an app and found a bunch of stuff. Some problems were tricky, other problems were simple ones of the "alert('hi')" variety. And it's in C so it's fast enough to browse through without being annoying. RatProxy + FireBug make a great combo. Thanks Google!

    --
    The Army reading list
    1. Re:Works great by VGPowerlord · · Score: 4, Funny

      If you run it with -xXx, it'll find any pornographic images on your site.

      --
      GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
    2. Re:Works great by Ynot_82 · · Score: 3, Funny

      and 4x's gives you free beer

    3. Re:Works great by CMonk · · Score: 1

      I got a buffer overflow on my site.

    4. Re:Works great by Anonymous Coward · · Score: 0

      And crappy action movies.

    5. Re:Works great by agendi · · Score: 1

      Or Vin Diesel.

      --
      I just can't be bothered.
  3. win32 compile by Anonymous Coward · · Score: 1, Informative

    dont trust random executables from the internet
    http://www.sendspace.com/file/hiwcs7 (needs cygwin)

  4. Oooh, goody goody... by T3Tech · · Score: 5, Funny
    a new toy to play with.

    In other news, Viacom has petitioned the court for Google's logs of users who downloaded their ratproxy tool after it was used to reveal vulnerabilities on certain Viacom owned web sites.

    --
    Of course I didn't RTFA... why would I do that? You really are new here aren't you? Don't let my UID fool you.
  5. I hate it when I have to RTFA by museumpeace · · Score: 3, Interesting

    Google has a tool, Web Application Security Consortium have discovered a problem with large portion of sites. Are these two facts related? does the Google tool detect the named problems?

    --
    SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
  6. Script Kiddie Time! by Cynic.AU · · Score: 1

    Awesome, now I'm going to run around with my 1337 new tool, finding vulnerabilities in every website I can find on the internet. Then I'm going to post obnoxious defacement messages, pretending to be a Turkish hacker... :p

  7. Documentation by Kolargol00 · · Score: 4, Informative

    The documentation is here.

    --
    XML is like violence. If it doesn't solve the problem, use more. Junta
  8. Windows version by Espectr0 · · Score: 1

    Is there a windows build somewhere for those of us forced to use windows at work?

    --
    Open Source Java Web Forum with LDAP authentication
    1. Re:Windows version by allcar · · Score: 2, Informative

      Some people report success building and running this under Cygwin.

    2. Re:Windows version by Anonymous Coward · · Score: 0

      Is there a windows build somewhere for those of us forced to use windows at work? Dude, it's a security tool. Windows users need not apply!