Google has Open Sourced RatProxy Security Tool

Google has announced that they have open-sourced RatProxy, which, according to the Google Code site is:

"A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments."

What does this mean? Well, I am not an expert on the tool (yet), but it appears that RatProxy sits on your web server and monitors your existing site traffic for potential vulnerabilities and reports on them. It looks for threats like Cross-Site Scripting vulnerabilities, issues with content serving, Request Forgery vulnerabilities, unsafe JSON-like responses, and more.

One especially interesting point is that in the README file they claim that this can be safely deployed in a production environment.

I am pretty excited about this release. I have been meaning to look into these types of tools, and this gives me an excuse to get started. I am going to see if I can get this up and running and I will blog about the experience.

Does anyone have any experience with other automated web security analyzers? Burp? WebScarab? ProxMon?

John H Sawyer's Gravatar It is a client-side web proxy like Paros, WebScarab or Burp. It doesn't run on the server at all.
# Posted By John H Sawyer | 7/2/08 8:40 AM
Jason Dean's Gravatar @john Ah - I think I see. Since it is a proxy, it can run from any machine, but most likely you would install it on your local machine (not on your server) and then you would specifically route your browser requests through it by changing your proxy settings. Am I understanding that correctly?

Thanks for the comment and clarification. What threw me off was the parameter description for port (-p) which reads: "causes ratproxy to listen for browser connections on a TCP port different than the default 8080". And I was thinking, if it is listening on a port, it must go on the server.
# Posted By Jason Dean | 7/2/08 9:17 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner