Jan 28, 2008

Building security tools on top of Google Gears

Fitting into the role of a penetration tester from time to time, I sometimes encounter the trouble of not being able to use a remote web server to deploy certain attacks, or simply to verify the existence of a vulnerability. As a result, lately I've been spending quite a bit of time toward the crazy idea of using Google Gears as the platform for tool development, mainly to address my needs when I need a remote host. The logic of Gears is quite simple. If a resource is available online, download it, and let the user see it. If the resource is not available (mainly due to network connectivity), Gears will fetch the last available copy of the resource from its cache.

Because Gears provides local caching capability and a built-in database engine, one can assume that tool development won't be an impossible task. For instance, auditing a remote server's logs to verify a cross-site scripting vulnerability can be approached by two different ways:
- A check against Gears' last access time on the desired object may reveal whether the attack was successful.
- A record in Gears' database may also indicate whether a request for a cached object is successful.

Anyhow, there are still quite a bit of research to be done before a solid conclusion regarding its use and feasibility can be made.

1 comment:

Ady said...

i haven't played with gears yet...the internet is growing faster than i can hac..oops, i mean pen-test it.