14 DAY TRIAL // Google has released a Chrome extension that is capable of checking client-side code for cross-site scripting weaknesses and other security issues.
Called DOM Snitch, the still-experimental extension intercepts JavaScript calls to potentially dangerous functions like document.write, document.cookie, HTMLElement.innerHTML and others.
It records a complete stack trace allowing the user to determine if the calls can lead to cross-site scripting, mixed content, violations of the same-origin DOM policy and other issues.
"DOM Snitch is intended for use by developers, testers, and security researchers alike," says Radoslav Vasilev, a Google security test engineer.
The benefits of DOM Snitch include the ability to inspect DOM modifications in real-time without the need of debuggers, built-in security heuristics and nested views, as well as export capability.
The easy exporting of captured DOM modifications enables developers to ask for help from their peers when troubleshooting issues.
DOM Snitch is not the only security tool released by Google for developers. Its open source Skipfish and Ratproxy web application vulnerability scanners are also capable of detecting XSS, XSRF and other flaws.
JavaScript is a critical component in many web attacks, both client-side and server-side. It is used in most drive-by exploits, as well as to obfuscate malicious code on compromised websites.
There are several types of cross-site scripting vulnerabilities. Persistent ones are most dangerous because they can be exploited to insert rogue code into pages permanently. Non-persisted or reflected ones can only be exploited by tricking users into opening malformed URLs.
DOM-based XSS flaws like the ones DOM Snitch helps identify are more complicated and can be exploited to load non-HTML code from a server or write code into the page directly on the client-side.
DOM Snitch can be downloaded from its project page on Google Code. Additional documentation is also available there.