Google is developing a security tool that can automatically discover cross-site scripting defects in its web application software.
According to foreign media reports, the tool named Lemon triggers and exposes defects in web applications by providing random data input. Lemon is a black box testing tool. According to Google's security team member Srinath Anantharaju, Lemon's Development aims to discover cross-site scripting defects, but Google is adding methods to discover new attack paths, to improve the tool's ability to discover other known security issues.
Anantharaju wrote in Google's network security blog that our defect testing tool lists the URLs and input parameters of a web application, and then repeatedly provides input with defects, to discover cross-site scripting and other defects, analyze the results and find evidence of these defects.
Hackers usually inject code into web applications to trigger cross-site scripting attacks. Hackers can also send emails with malicious links to users. When a user clicks this link, the system loads a webpage, hackers can inject script code that can be executed in a browser dialog.
Google plans to use this tool to test its own web application, but it will not release it in the near future.