Google’s New Tool, DOM Snitch, Finds JavaScript Flaws

Google announced on Tuesday the availability of a new free application testing tool, dubbed “DOM Snitch,” that it says will help Web application developers find vulnerabilities in client side Web applications.

DOM SnitchGoogle announced on Tuesday the availability of a new free application testing tool, dubbed “DOM Snitch,” that it says will help Web application developers find vulnerabilities in client side Web applications.

The new application is a Chrome browser extension that works by injecting hooks into a Web page that signal when that page interacts with browser features that can be manipulated in attack. The tool is designed to allow both Web application developers and QA staff who lack expertise in security to pinpoint insecure application code, Google said.

DOM refers to the “Document Object Model,” a common, platform-neutral interface that allows programs and scripts to access and update the content and structure of Web pages and other online documents.

The DOM Snitch product is similar to other free, open source testing tools from Google, including Skipfish, an automated Web application security reconnaissance tool. The tool, which is released in an early, alpha-release form, watches for JavaScript for calls to DOM methods that can pose a security risk in developed application. Those include internal DOM events like onmouseover as well as document.write, set and get document.cookie, and so on. The tool can be run in “Passive,” “Invasive,” or “Standby” mode, allowing testers to merely snoop on activities taking place inside the DOM of a Web page, or to actually stop the page execution and intercept and modify data on the fly.

The tool outputs an activity log listing DOM modifications that pose a security risk, Google said.

A lingua franca of the Web, JavaScript is also a common element in the majority of malicious exploits used in Web based attacks. To combat JavaScript attacks, browser makers like Microsoft and Mozilla have typically relied on plug ins such as Zozzle and NoScript to block specific types of attacks, or disable JavaScript on Web sites altogether. Attackers have also taken to obfuscating JavaScript within malicious Web pages to hide their use of suspect methods such as Document.Write.

 

Suggested articles