Google Gives Away Web App Security Tool

CWmike writes "Google has released for free one of its internal tools used for testing the security of Web-based applications. Ratproxy, released under an Apache 2.0 software license, looks for a variety of coding problems in Web applications. A 2006 survey by the Web Application Security Consortium found that 85.57 percent of 31,373 sites were vulnerable to cross-site scripting attacks, 26.38 percent were vulnerable to SQL injection and 15.70 percent had other faults that could lead to data loss."

Proving once again...

[Enderandrew (866215)]

...despite all the haters, that Google certainly isn't evil.

Thanks!

Re:

[by Anonymous Coward]

Or just proving that there's a lot of developers at Google that aren't evil.
A corporation exists for the benefit of it's shareholders. As long as the shareholders interests are honorable, the company will stay that way. When Shareholder interest moves focus to maximizing profit "Do no evil" becomes a nice catchphrase.

Everything is evil, just watch me if I had the same opportunity...

Re:

[Sta7ic (819090)]

Surrre. What were they using it for before they released it?

Re:

[RiotingPacifist (1228016)]

DO google pass on failed search attempts? I thought that they simply blocked certain keywords completely meaning that people searching for that stuff are probably safer than if they found the results.

Works great

[tcopeland (32225)]

Just run it with "-xX" and see what it finds in terms of XSS vulnerabilities... I used it this afternoon on an app and found a bunch of stuff. Some problems were tricky, other problems were simple ones of the "alert('hi')" variety. And it's in C so it's fast enough to browse through without being annoying. RatProxy + FireBug make a great combo. Thanks Google!

Re:Works great

[VGPowerlord (621254)]

If you run it with -xXx, it'll find any pornographic images on your site.

Re:

[Ynot_82 (1023749)]

and 4x's gives you free beer

Re:

[CMonk (20789)]

I got a buffer overflow on my site.

Re:

[agendi (684385)]

Or Vin Diesel.

win32 compile

[by Anonymous Coward]

dont trust random executables from the internet
http://www.sendspace.com/file/hiwcs7 [sendspace.com] (needs cygwin)

Oooh, goody goody...

[T3Tech (1306739)]

a new toy to play with.

In other news, Viacom has petitioned the court for Google's logs of users who downloaded their ratproxy tool after it was used to reveal vulnerabilities on certain Viacom owned web sites.

I hate it when I have to RTFA

[museumpeace (735109)]

Google has a tool, Web Application Security Consortium have discovered a problem with large portion of sites. Are these two facts related? does the Google tool detect the named problems?

Script Kiddie Time!

[Cynic.AU (1205120)]

Awesome, now I'm going to run around with my 1337 new tool, finding vulnerabilities in every website I can find on the internet. Then I'm going to post obnoxious defacement messages, pretending to be a Turkish hacker... :p

Documentation

[Kolargol00 (1177651)]

The documentation is here [google.com].

Windows version

[Espectr0 (577637)]

Is there a windows build somewhere for those of us forced to use windows at work?

Re:

[allcar (1111567)]

Some people report success building and running this under Cygwin.