Tools

Security at Google is more than vigilantly protecting our own systems and our users' data. We also want to help others increase the security posture of all Internet-conencted systems. One way that we do this is by releasing some of our security tools as open-source.

These tools are designed to be used by people who are working or interested in the field of information security. They address a gap present in other open-source tools. These tools may require some minor tweaking or compilation to work on your systems. Please refer to the documentation if you are having problems.

Don't be evil. Practice safe checks. Some of these tools can be disruptive or cause sites to misbehave (this is by design). Only use these tools against services that you own or have permission to test.

Caja

Caja is a compiler for making third-party HTML, CSS and JavaScript safe to embed in your website. It uses an object-capability security model to allow for a wide range of flexible security policies. Caja has it's own dedicated site where you can explore the compiler's source code and try out Caja in the Caja Playground.

Keyczar

Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys. It is designed to be an open, extensible and cross-platform compatible.

Native Client (NaCl)

Native Client (NaCl) is technology for running native compiled code in the browser. NaCl aims on maintaining operating system portability and safety that people expect from web applications. NaCl has its own dedicated site that provides a high-level overview of the technology.

Ratproxy

Ratproxy is a semi-automated and mostly passive web application security audit tool. It complements active crawlers and manual proxies more commonly used for security reviews. It detects and prioritizes broad classes or security problems, including script inclusion and security-related content service issues, cross-site scripting and cross-site request forgery.

Skipfish

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for a site by carrying out a recursive crawl and dictionary tools. Written in C with a custom HTTP stack, it is high performance, easy to use and reliable.

DOM Snitch

DOM Snitch is an experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. Developers and testers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application.

Gruyere

Gruyere is a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. Find bugs while learning about web security!