The folks at Google apparently aren’t much for summer vacations. The company’s security team has been at work on a automated tool for finding cross-site scripting vulnerabilities in Web applications. Google’s new tool is called Lemon, and is essentially a fuzzer purpose-built to find XSS flaws, which are among the more widespread and easily exploitable vulnerabilities on the Web.
Our vulnerability testing tool enumerates a web application’s URLs and corresponding input parameters. It then iteratively supplies fault strings designed to expose XSS and other vulnerabilities to each input, and analyzes the resulting responses for evidence of such vulnerabilities. Although it started out as an experimental tool, it has proved to be quite effective in finding XSS problems. Besides XSS, it finds other security problems such as response splitting attacks, cookie poisoning problems, stacktrace leaks, encoding issues and charset bugs.
XSS flaws have troubled Web application developers for years, and although the errors that cause the vulnerabilities are well-documented, they still creep into a lot of applications. Google’s developers probably build as many Web apps as any company in the industry, so the company’s security team has the advantage of having a lot of homegrown talent at their fingertips. Right now, Lemon appears to be for internal Google use only, but given the company’s history of freely releasing other applications and tools, it wouldn’t be a surprise to see Lemon make its way into the hands of the public soon.