Google’s Black Box Lemon


Google is serious about security, especially when the need for it hits close to home.


Because cross site scripting (XSS) and other sorts of injection attacks are a
particular threat to Google, the company’s security team is developing a black box fuzzing tool called Lemon, which is intended to automatically find XSS problems in applications.

But don’t expect to be able to use it anytime soon; Google is likely to keep a tight lid on this effort.


Fuzzing is also known as fault injection testing and is a widely used
technique in security circles to try and break down applications and expose
flaws.


“Our vulnerability testing tool enumerates a Web application’s URLs and
corresponding input parameters,” Srinath Anantharaju a developer on Google’s
security team, wrote in a blog post. “It then iteratively supplies fault
strings designed to expose XSS and other vulnerabilities to each input, and
analyzes the resulting responses for evidence of such vulnerabilities.”


Google Lemon, according to Anantharaju, will also discover other types of
security issues, including cooking poisoning and response splitting attack.
Lemon is “homegrown” and is being actively developed by Google with new
attack vectors.


Though Google looked at commercially available fuzzers on the market, Anantharaju said the company felt its specialized needs
could be served best by developing its own. It’s likely to stay that way, too.


“Lemon is highly customized for Google apps and we have no plans to market
it externally in near future,” Anantharaju said.


Google has seen a number of serious XSS flaws, some of which included an AdWords flaw in December and a desktop flaw in February that were publicly disclosed and originally discovered by third parties.

News Around the Web