Google has created a new tool that allows those who install it to see security holes on websites, the company announced on their security blog Tuesday. Named DOM Snitch, the Chrome extension uses various ways of intercepting Javascript calls to spot the use of functions that can inject code from outside sources. Google intends it to help show developers where their client-side code needs work.
The company notes that, as Web applications become more complex, the number and kinds of attacks that can be successfully launched against them will increase. Google hopes that the tool will help developers, testers, and security professionals tie up more loose ends with their code and prevent client-side attacks.
While it's still in an experimental phase, DOM Snitch can intercept many different kinds of Javascript calls and then record the URLs accessed by a document and a complete stack trace. This set of information lets developers and testers see if any interlopers who intercept a call would be able to progress to "cross-site scripting, mixed content," or "insecure modifications to the same-origin policy for DOM access." Users can see DOM modifications in real time, and can export the results of the test to share with colleagues.
DOM Snitch seems like more of a teaching tool or sanity check than a must-have security essential, but it may still see wide use among those still learning how to write secure Javascript code. At least a few users won't be able to resist using the tool for a little public shaming of popular, security-negligent websites.
No comments:
Post a Comment