ratProxy: New arsenal for Web Security Analysts.

On 1st June Google has made their Passive web security Assessment tool RatProxy open source. Google confirmed that they were using this tool internally for analyzing interactive browser driven interactions. The tool is released under an Apache 2.0 software license.
Inspite of being in Beta phase, ratProxy has lot of features compared to other similar web proxy tools – WebScarab, Paros, Burp, ProxMon, and Pantera.

Official website describes the tool as –
“A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.

Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.

Ratproxy is currently believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. ”

Following are some salient features of ratProxy that gives it an edge over others.
1) It does not generate high volumes of attack simulating traffic.
2) Test lot of web2.0 features including XSS, CSRF etc
3) Sniff content from stylesheets .
4) Supports SSL.
5) Support proxy-chaining.
6) Flash based XSS detection.
7) Precise Reports. etc

Though tool is good enough to test security vulnerabilities in the Web applications, should not be consider sole testing solution. Manual testing and verification of results must be followed after generating ratProxy report.

More detailed information about the tool can be found here.
Following snapshot shows the report generated by ratProxy.

You can download the tool here.

With the continous improvement in Web2.0, Security Professionals need to keep their tools updates and we all hope ratProxy will stand by us to protect those improvements.


About this entry