Google releases its open-source RatProxy web app scanner

Last week, Google open-sourced one of its web development tools -- RatProxy. The company describes it as:

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS ([Ed: cross-site request forgery and cross-site scripting, respectively]) defenses, and much more.

But what's it really do?

At heart, it's designed specifically for web 2.0 applications (as opposed to full-blown security proxies like WebScarab and ProxMon, which are more general purpose in nature). WebScarab, for instance, supports automated parameter fuzzing in order to detect SQL injection and XSS, but also supports a zillion other features.

Conversely, RatProxy is designed specifically for assessment of cross-site vulnerabilities with little effort. As opposed to more active scanning tools, it also can run against production systems without fear of DOSsing (denial-of-service) them. RatProxy hones in on five specific types of weaknesses:

• MIME type mismatches: does the reported MIME type match the actual content?
• How do apps behave when cookie-based authentication data is removed from requests?
• Are security tokens sufficiently strong (e.g., can they be guessed) and will they resist replay attacks?
• Are parameters of a request echoed back in the response such that XSS is possible?
• MIME type mismatches: does the reported MIME type match the actual content?
• Can boundary conditions be exploited such that trust mechanisms are spoofable or information disclosure is possible?

The doc is pretty good reading and covers more of the details.

RatProxy should run under most Linux, FreeBSD, MacOS X, and Windows (via Cygwin) configurations.