Slashdot Mirror
Google Hands Out Web Security Scanner
An anonymous reader writes "Apparently feeling generous this week, Google has released for free another of their internally developed tools: this time, a nifty web security scanner dubbed skipfish. A vendor-sponsored study cited by InformationWeek discovered that 90% of all web applications are vulnerable to security attacks. Are Google's security people trying to change this?"
Considering how many web apps use Google APIs in some form or another these days, I'd say it's in their best interests to ensure those sites don't all become a liability to eachother by way of their centralized cloud.
CAn'T CompreHend SARcaSm?
If you want the internet to remain free, you'll have to get off your lazy ass. Start by going and downloading the skipfish source - it's under an Apache license - and audit it for us. Tell us if it's got any phone-home reporting, if it leaves out any major items from it's scans, etc.
We all know we should question everything, including Google's intentions. We're pretty smart, we get that. Instead of offering blind, childish rhetoric, you could offer proof and/or solutions. Just sayin'; calling Google a major privacy invader doesn't stop them.
CAn'T CompreHend SARcaSm?
Google is one of the most anti-privacy, intrusive evil corporations out there, second only to Facebook. They make a living over promiscuous sharing of personal data. Why should I trust them?
Have they ever lied to you about what they do? I don't use Google under any misinformed idea that they *don't* track everything I do. I go into it knowing that this *is their business*.
Where you under some other impression?
If you want news from today, you have to come back tomorrow.
They want to promote to use more their services. One way to make that is to make the web safer, helping more sites to flourish, and so compelling users to do more things online, what will only help them. So for this case, even if they are doing it by their own selfish motives, they are actually trying to helping you. So, in this particular case, your privacy won't get harmed and you will get a good tool. Why don't take it? Want that the real bad guys instead of google get your personal and job data instead?
I could just bury your comment by modding you a troll, but I'd rather correct the misinformation.
Microsoft has patents on how to sell your personal information to the highest bidder. Microsoft, Yahoo, and AOL all handed over your personal search histories to the US government. They all play ball in China. Yahoo handed over bloggers to the Chinese government.
Google targets ads to you, but they don't share your personal data out to anyone. Google tracks your information to serve up ads, but this is all machine controlled. It isn't like Google employees sit around all day reading your email.
If you don't want Google to have your information, then don't use their services. I happen to really like their services. I want the convenience of being able to get to my mail from any device without having to try and run my own mail server (dealing with SSH attacks, whitelisting, backups, etc. can be a pain). Google provides me a free service I enjoy, and thusly I willingly accept the trade-off of targeted ads.
They are VERY upfront about what they do, and they also provide tons of great open source products. They are the primary funder of Firefox, and they fund a decent chunk of Linux development. I'm sick of people calling them evil every single day without providing one single piece of evidence.
Either provide some evidence, or stop spouting FUD and lies. Personally, I'm sick of it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
http://techcrunch.com/2008/08/28/mozilla-extends-lucrative-deal-with-google-for-3-years/
The ACLU has an interesting video regarding data retention and proliferation: http://www.aclu.org/ordering-pizza
It's not quite all here yet, but it's definitely not outside the realm of probability.
Someone sends me an email from a gmail acct, poof, there I am. And I can't reply without using gmail, because that is all they use.
True, but not really relevant -- if they weren't using Gmail, they'd be using something else. Do you trust Yahoo or Hotmail any more than Google? How about some random ISP?
And it's not like they can track much from that, other than your conversations with someone who already keeps all their other conversations with Google.
Don't thank God, thank a doctor!
Google didn't start the censorship in China, it wasn't their idea, and they weren't the first group to comply with what is, in China, local law. They've also been pretty clearly repulsed by the rule, hence the issues they are now having with the Chinese government. They went into a crappy situation thinking that maybe they could improve things, or at least tolerate them until it had enough time to change (and it is just a matter of time, really)... apparently they were wrong, have seen the error of their ways, and are getting the heck out while they still can.
You seem to think that isn't good enough. So do you believe that because a nation makes laws which you don't agree with, private companies should be obligated to violate those laws in those countries? That failure to do so constitutes evil?
You can't possibly think that would end well.
Try not to take me more seriously than I take myself.
We configured skipfish and pointed it at our custom platform with full administrator rights. Entered our systems custom file extensions into the skipfish dictionary.
Overall the performance is quite good (>3k HTTP requests per second) after tweaking concurrent connection count. Orders of magnitude better than any scanner we have ever used.
The report UI seemed polished and provided quite a bit of useful data with summaries and drill down to detail. It would really help if instead of simply posting raw request/response data it would highlight sections of the response that lead it to make an assumption WRT a particular vulnerability.
In terms of scan results they look for quite a number of common vulnerabilities, some of the checks are quite creative. I especially liked the check for "interesting" contents. Some of our test data tripped them - this was perfectly reasonable given content.
Aborted the scanner at the 5 million http request mark ~20mins later.
In terms of actual results against our system out of the several dozen possible vulnerabilties reported from XSRF, injection..etc there were no actual problems discovered - 100% false alarms.
There is something really odd about some of the requests being made .. I don't know if its intentional to discover bugs but the folder/file parsing looks to be broken and its building stupid path names with the filename /subfolder.. This seems to be causing most of the UI not to crawl as it seems to be ending up in the 404 category. Maybe this is my fault on dictionary configuration but the system wastes way too many requests throwing the dictionary at each resource and not nearly enough time crawling the site and discovering whats available for expliot.
I then took a cursory glance at the source code.. all of the rule checking is hard-coded in C. (See analysis.c) ... which to me seems quite stupid and useless.
The tool is a start already better than many freebie tools I have used over the years.
My advice is to first and foremost abstract the analysis details out of C code. Focus more on walking even if its dynamic content and bolt in some intelligence/expert system to direct activities.