RatProxy是Google信息安全技术团队所研发的程序安全侦测工具,一向为Google内部所使用。Google信息安全工程师Michal Zalewski表示,Google决定将该工具免费开放是因为他们认为这将对信息安全社群有价值,强化社群理解与Web技术有关的安全问题。
RatProxy能够分析诸如跨站威胁、防御伪装的跨站请求,以及侦测到快取问题或是潜在的信息泄露问题等。
Google在文件中表示,RatProxy为一半自动、多数是被动的网络应用程序安全侦测工具,它同时补足了传统主动爬寻及手动侦测的缺点,而且特别针对潜在的问题及安全相关设计的精确侦测与自动批注进行优化。
至于比起传统安全侦测工具,Google亦列出几项 RatProxy 的优势,包括在默认的操作模式中不会引起仿真攻击所带来的庞大流量,可避免正在使用的系统的瓦解,而且它提供直觉式的操作,并降低时间及带宽的使用,并能找出产品的问题与潜在的漏洞等。
现在开发人员皆可自Google网站下载RatProxy,它支持Linux、FreeBSD、MacOS X及Windows等作业环境!
Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments. The approach taken with ratproxy offers several important advantages over more traditional methods:
- No risk of disruptions. In the default operating mode, tool does not generate a high volume of attack-simulating traffic, and as such may be safely employed against production systems at will, for all types of ad hoc, post-release audits. Active scanners may trigger DoS conditions or persistent XSSes, and hence are poorly suited for live platforms.
- Low effort, high yield. Compared to active scanners or fully manual proxy-based testing, ratproxy assessments take very little time or bandwidth to run, and proceed in an intuitive, distraction-free manner - yet provide a good insight into the inner workings of a product, and the potential security vulnerabilities therein. They also afford a consistent and predictable coverage of user-accessible features.
- Preserved control flow of human interaction. By silently following the browser, the coverage in locations protected by nonces, during other operations valid only under certain circumstances, or during dynamic events such as cross-domain Referer data disclosure, is greatly enhanced. Brute-force crawlers and fuzzers usually have no way to explore these areas in a reliable manner.
- WYSIWYG data on script behavior. Javascript interfaces and event handlers are explored precisely to a degree they are used in the browser, with no need for complex guesswork or simulations. Active scanners often have a significant difficulty exploring JSON responses, XMLHttpRequest() behavior, UI-triggered event data flow, and the like.
- Easy process integration. The proxy can be transparently integrated into an existing manual security testing or interface QA processes without introducing a significant setup or operator training overhead.
相关介绍:http://code.google.com/p/ratproxy/ http://code.google.com/p/ratproxy/wiki/RatproxyDoc
下载页面:http://code.google.com/p/ratproxy/downloads/list
原文地址:http://hi.baidu.com/nzone/blog/item/da023d4ea60671cfd1c86a43.html
*博客内容为网友个人发布,仅代表博主个人观点,如有侵权请联系工作人员删除。