Ratproxy-Google's XSS detection tool

By fenng|It can be reproduced. During reprinting, it must be indicated by a hyperlink.ArticleSource and author information and copyright notice
Web: http://www.dbanotes.net/security/ratproxy_google_xss.html

Cross-site scripting (XSS) attacks may be a headache for all websites, and Google is no exception. This time, Google made another Lei Feng and opened the internal tool used to audit XSS: ratproxy.

Ratproxy workflow:

• 1) after running the script, a proxy server is started locally. The default port is 8080;
• 2) the browser sets this address (http: // localhost: 8080) as the proxy address;
• 3) browse the Web page to be tested, log on to the server, and fill in the Form. (These actions will be captured by the proxy server and sent to the page to be checked ), ratproxy records related logs in the background;
• 4) use the tools provided by ratproxy to parse logs and output "> HTML for analysis;
• 5) after fixing a serious problem, jump back to the first step until the evaluation is passed.

I tested it in Ubuntu. It should be noted that libssl-Dev and OpenSSL must be installed in the local system.
 

 
$ Sudo apt-Get install libssl-dev OpenSSL
$ CD ratproxy; make
 

 

Then you can submit something like:

 
$./Ratproxy-V.-W Foo. Log-D foo.com-lfscm
 

Then, click the relevant page for testing. The design idea of this tool is worth learning. We recommend that you read the ideas you are interested in security.Source code.

Ratproxy is written by Michal zarewski, a white hat hacker from Poland. He can find more interesting tools on his personal homepage.