DOM Snitch Google Chrome Extension: Passive in-the-browser Reconnaissance Tool

Google Online security team today introduced "DOM Snitch" -- an experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code.Please note: DOM Snitch is intended for use by developers, testers, and security researchers alike; Developers and testers should be aware that DOM Snitch is currently experimental. Refere to […]

Google Online security team today introduced "DOM Snitch" -- an experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code.

Please note: DOM Snitch is intended for use by developers, testers, and security researchers alike; Developers and testers should be aware that DOM Snitch is currently experimental. Refere to Know issues, issues tracker.

"To do this, we've adopted several approaches to intercepting JavaScript calls to key and potentially dangerous browser infrastructure such as document.write or HTMLElement.innerHTML (among others). Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that'll help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the same-origin policy for DOM access, or other client-side issues," Google explained.

Here're the benefits of DOM Snitch:

  • Real-time: Developers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their app.
  • Easy to use: With built-in security heuristics and nested views, both advanced and less experienced developers and testers can quickly spot areas of the app being tested that need more attention.
  • Easier collaboration: Enables developers to easily export and share captured DOM modifications while troubleshooting an issue with their peers.

You can download DOM Snitch here, and the documentation here.

[Source: Online Security Blog]