Yesterday, Google released their open-source passive web application security assessment tool called ratproxy.

This utility, developed by our information security engineering team, is designed to transparently analyze legitimate, browser-driven interactions with a tested web property and automatically pinpoint, annotate, and prioritize potential flaws or areas of concern.

The proxy analyzes problems such as cross-site script inclusion threats, insufficient cross-site request forgery defenses, caching issues, cross-site scripting candidates, potentially unsafe cross-domain code inclusion schemes and information leakage scenarios, and much more.

Based on the ratproxy documentation, it looks like the tool has several useful security checks. The current version is ratproxy 1.50, and you can download it on Google Code.

Update: 1.51 is out already, and the folks at Polytechnic University’s ISIS lab gives us a review of the ratproxy tool.