Google's Black Box Lemon
Google is serious about security, especially when the need for it hits close to home.
Because cross site scripting (XSS) and other sorts of injection attacks are a particular threat to Google, the company's security team is developing a black box fuzzing tool called Lemon, which is intended to automatically find XSS problems in applications.
But don't expect to be able to use it anytime soon; Google is likely to keep a tight lid on this effort.
Fuzzing is also known as fault injection testing and is a widely used technique in security circles to try and break down applications and expose flaws.
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeed"Our vulnerability testing tool enumerates a Web application's URLs and corresponding input parameters," Srinath Anantharaju a developer on Google's security team, wrote in a blog post. "It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities."
Google Lemon, according to Anantharaju, will also discover other types of security issues, including cooking poisoning and response splitting attack. Lemon is "homegrown" and is being actively developed by Google with new attack vectors.
This article was first published on InternetNews.com. To read the full article, click here.
Forefront helps businesses protect against viruses, worms, spam, and inappropriate content. Click here to download free trial and beta versions of Microsoft Forefront products today.
