Google has just released the source code to one of their internal testing tools.  Ratproxy is a web proxy that is designed to scan for and log potential problems and “security-relevant design patterns” as you (the user) test your site or web service.

It’s not an automated test tool, it follows the actions of a user and examines the pages that the user would hit during a test run.  By following the user, ratproxy sees the same payload the user receives.  All of the login authentication is handled by the user, ratproxy only observes the data as it goes back and forth.  That allows the user to use any browser and browser specific behavior can be tracked by ratproxy.

Since the actions are directed by the browser, AJAX related traffic is picked up and ratproxy will check for cross-domain script inclusion.  It also has the ability to decompile Flash applets, as there are a few Flash security holes that could allow cross-site script injections.  If you are testing your own code, that shouldn’t be a problem, but if you have some 3rd party Flash applets it’s always a good idea to check them.

To install ratproxy, you have to download it as a compressed tarball from it’s Google Code download page.  You have to compile it yourself with the included source code.  For Windows, you’ll need to have Cygwin installed.  If you are not familiar with Cygwin, it’s a collection of tools that provide a Linux-like environment under Windows.  From what I read on the ratproxy documentation page, you may need to tweak the makefile to get it compile with the Cygwin GCC compiler.  Someone mentioned that ratproxy was written for GCC 3.4 and the version that is bundled with Cygwin is version 3.4.4.  If that is the case, version 4.3.1 can be downloaded directly from gcc.gnu.org or from one its mirror sites.  If you want to use 4.3 under Windows,you ‘ll have to install Cygwin first and build it with the version of GCC that comes with Cygwin.

I don’t have Cygwin installed (yet).  I plan on doing so in the near future and I want to compile ratproxy and see how it works.  The idea sounds cool and if it’s not too painful to build under Windows, I would like to add it to the test arsenal.  The cool part of ratproxy is that you can use it with your existing test methods, all you need to do is to direct your browser or test tool to use the ratproxy as a proxy server.

Ratproxy was written by and is maintained by Michal Zalewski, a computer security expert on the “white hat” side.  His personal site has some interesting side projects.