http://www.vnunet.com/vnunet/news/2220583/google-releases-web-app
By Shaun Nichols in San Francisco
vnunet.com
02 July 2008
Google has released the source code for a security tool it uses
internally.
The RatProxy software analyzes web pages for potential security risks
and reports them back to the site administrator.
Among the vulnerabilities RatProxy is able to test for are cross-site
scripting flaws and incomplete cross-site defense mechanisms as well as
potential data leak sources and risky code that retrieves data from
outside domains.
The company hopes that developers will put the tool to use when coding
new web-based services that rely on multiple sites and outside sources
for data. Google security engineer Michal Zalewski warned, however, that
the tool should not be considered a substitute for a thorough analysis
by a security professional.
"We feel it will be a valuable contribution to the information security
community, helping advance the community's understanding of security
challenges associated with contemporary web technologies," explained
Zalewski.
"We believe that responsible security research brings a net overall
benefit to the safety of the Web as a whole, and have released this tool
explicitly to support that kind of research."
Users can download the tool from the Google Code site. The tool works on
Windows, Linux, FreeBSD and MacOS X operating systems.
2008年07月03日 12:58
北京時間7月3日消息:據國外媒體報道,Google日前將公司內部自用的一個安全軟體免費提供下載,該工具可以發現網站漏洞。
這個工具名叫RatProxy,主要是分析網頁的安全漏洞,可以向網站管理員發出漏洞報告。
未來,用戶可以在Google Code網站下載這一工具。Google提供了支援視窗、Linux、FreeBSC、Mac OS X的版本。
在RatProxy可以發現的漏洞中,包括跨站腳本漏洞、不完整的跨站安全防護措施,以及從外部域獲取資訊的不安全代碼等。
Google表示,希望開發人員在開發跨站的互聯網應用時能夠利用這一工具進行安全檢查。不過Google安全工程師Zalewsi警告說,這款軟體不應該視為一個安全專業人員的系統分析。
Google方面表示,他們感覺到將這個工具免費提供下載,可以給整個資訊安全業界帶來一點幫助,可以幫助站長意識到WEB新技術面臨的安全挑戰。
http://code.google.com/p/ratproxy/wiki/RatproxyDoc