Google has released a new extension for its Google Chrome browser. According to their security blog, Google calls the extension DOM Snitch. According to Google, everyday applications that rely on the web are becoming increasingly complex. This leads to a larger attack surface. Previous tools such as Skipfish and Ratproxy were used to secure server-side code. Now Google has created DOM Snitch to test client-side code.
The extension intercepts JavaScript calls that are closely tied to browser infrastructure. Examples would be document.write or HTMLElement.innerHTML. Once the call is intercepted, the extension records the document URL and a complete trace that assess if the call can be used for cross-site scripting, mixed content, insecure modifications to DOM access, or other client-side issues. The browser extension is real time, meaning that developers can observe DOM modifications as they happen. Google claims the tool has built-in security heuristics and nested views so that developers and testers can spot areas of the application that need more attention. The tools also allows developers to export and share captured DOM modifications in order to perform troubleshooting of issues with their peers.
DOM Snitch is intended for use by developers, testers, security researchers, and advanced users only. It is an experimental extension and will not work flawlessly on every web application. It could cause data loss. Use at your own risk.
Click here to download DOM Snitch.
17 Comments - Add comment