Google
has released for free one of its internal tools used for testing the
security of Web-based applications.
Ratproxy (
download),
released under an Apache 2.0 software license, looks for a variety of coding
problems in Web applications, such as errors that could allow a cross-site
scripting attack or cause caching problems. Ratproxy -- released
as
version 1.51 beta -- is quick and less intrusive than other scanners in that
it is passive and does not generate a high volume of attack-simulating traffic
when running, Zalewski wrote. Active scanners can cause problems with
application performance. The tool sniffs content and can pick out snippets
of JavaScript from style sheets. It also supports SSL (Secure Socket Layer)
scanning, among other features. Since it runs in a passive mode, Ratproxy
highlights areas of concern that "are not necessarily indicative of actual
security flaws.