Testing Web application security using Google's ratproxy

Tuesday, January 1, 2008

To help developers audit Web application security, Google has released an open source tool called ratproxy. It is a non-disruptive tool designed for Web 2.0 and AJAX applications that produces an easy-to-read report of potential exploits.
Ratproxy is a local program designed to sit between your Web browser and the application you want to test. It logs outgoing requests and responses from the application, and can generate its own modified transactions to determine how an application responds to common attacks.

The list of low-level tests it runs is extensive, and includes:
  • potentially unsafe JSON-like responses
  • bad caching headers on sensitive content
  • suspicious cross-domain trust relationships
  • queries with insufficient XSRF defenses
  • suspected or confirmed XSS and data injection vectors
Read more at Linux.com

0 comments:

Banner


readbud - get paid to read and rate articles