Google announced a free application testing tool, dubbed “DOM Snitch,” to help developers find vulnerabilities in client-side Web applications.
The tool can be used by both application developers and QA staff who may not have the security expertise to identify insecure code, Google said June 21.
An “experimental” browser extension currently available for Google Chrome, DOM Snitch injects “hooks” into a Web page to signal when the page interacts with the browser in a way similar to when it’s being exploited. The tool intercepts JavaScript calls to “key and potentially dangerous” browser elements, such as document.write or the ability to get and set cookie values. DOM Snitch records a complete stack trace to access whether the JavaScript call can be used in a cross-site scripting attack, or other client-site issues.
“Every day modern web applications are becoming increasingly sophisticated, and as their complexity grows so does their attack surface,” wrote Radoslav Vasilev, a Google engineer based in Zurich.
DOM refers to the “Document Object Model,” a platform-neutral interface used by applications and scripts to access and update the content of Web pages. While going through the client-side code, the tool will alert the developer that a particular function call could potentially allow an exploit.
DOM Snitch joins other open source testing tools from Google, including Skipfish and Ratproxy.