RatProxy, Google's own proxy-based Web vulnerability testing tool, is now available to the public under an open source license.
Google developed a Web page vulnerability sniffer application for its own internal use, and called it RatProxy. It is described as:
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
It is capable of detecting unsecured data channels, cross-site scripting flaws, and high-risk code that references data from outside domains. It even prioritizes detected issues for you. It supports FreeBSD, Linux-based, and MacOS X environments, and even the MS Windows Unix-emulation environment, Cygwin, according to the information on the RatProxy homepage at Google Code.
As of this month, RatProxy is publicly available under the terms of the Apache License 2.0, a Copyfree, Free Software, and Open Source license. Yes, RatProxy is now open source software, by every major definition.
Google's hope seems to be that Web developers will use the tool to help secure their sites, in particular when using increasingly popular cross-site content aggregation Website design techniques. As a sample test results screenshot demonstrates, RatProxy output is well-organized and full of helpful information. It's a tool I will personally use in the future.
You can download it directly from the RatProxy project homepage as a source tarball, and as a Google Code project you can even get an svn checkout if you like.
RatProxy is far from the only such tool in existence — it is not a new idea. In fact, the fairly comprehensive wiki documentation for RatProxy lists a few alternative tools, in case you're interested in trying out the "competition". The documentation also makes a good case for why RatProxy isn't just redundant and ignorable, however. Being an open source tool, and one developed for in-house use by a very high profile Web application service provider with an excellent security reputation, RatProxy is sure to remain quite relevant and useful for some time to come.
Of course, such tools are just a way to make things a little easier. They tend to be useful only for identifying very limited selections of vulnerabilities, and should not be considered a magic wand for discovering and fixing software vulnerabilities. Use a tool like RatProxy, by all means, but when you're done with it and have fixed all the identified vulnerabilities, you should still go over the Website source with a fine-toothed comb.
There is no substitute for diligence and intelligent analysis.Note: announced on bugtraq