Google publica ferramenta para segurança de web sites

Poucos dias depois da Microsoft publicar uma ferramenta para lidar com ataques SQL Injection, a Google começou a disponibilizar gratuitamente um proxy que detecta problemas de segurança -- ratproxy:

A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.


Mais informação:

Google Online Security Blog: http://googleonlinesecurity.blogspot.com/
Site do Ratproxy: http://code.google.com/p/ratproxy/
Zero Day: http://blogs.zdnet.com/security/?p=1388

Outros proxies interessantes: WebScarab, Paros (o WebScarab é muito bom para fazer pequenos testes mas enche rapidamente a memória e fica bloqueado)

A própria Google há tempos publicou também um fuzzer, Bunny the Fuzzer:

A closed loop, high-performance, general purpose protocol-blind fuzzer for C programs.

Uses compiler-level integration to seamlessly inject precise and reliable instrumentation hooks into the traced program. These hooks enable the fuzzer to receive real-time feedback on changes to the function call path, call parameters, and return values in response to variations in input data.

This architecture makes it possible to significantly improve the coverage of the testing process without a noticeable performance impact usually associated with other attempts to peek into run-time internals.


Mais informação:

Site do Bunny the Fuzzer: http://code.google.com/p/bunny-the-fuzzer/