RealTime IT News

Google's Black Box Lemon

Google is serious about security, especially when the need for it hits close to home.

Because cross site scripting (XSS) and other sorts of injection attacks are a particular threat to Google, the company's security team is developing a black box fuzzing tool called Lemon, which is intended to automatically find XSS problems in applications.

But don't expect to be able to use it anytime soon; Google is likely to keep a tight lid on this effort.

Fuzzing is also known as fault injection testing and is a widely used technique in security circles to try and break down applications and expose flaws.

"Our vulnerability testing tool enumerates a Web application's URLs and corresponding input parameters," Srinath Anantharaju a developer on Google's security team, wrote in a blog post. "It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities."

Google Lemon, according to Anantharaju, will also discover other types of security issues, including cooking poisoning and response splitting attack. Lemon is "homegrown" and is being actively developed by Google with new attack vectors.

Though Google looked at commercially available fuzzers on the market, Anantharaju said the company felt its specialized needs could be served best by developing its own. It's likely to stay that way, too.

"Lemon is highly customized for Google apps and we have no plans to market it externally in near future," Anantharaju said.

Google has seen a number of serious XSS flaws, some of which included an AdWords flaw in December and a desktop flaw in February that were publicly disclosed and originally discovered by third parties.