Google releases extension to detect risky Javascript behavior

[ShareShiz]

Google releases extension to detect risky Javascript behavior
By James Woodfin

Google has released a new extension for its Google Chrome browser. According to their security blog, Google calls the extension DOM Snitch. According to Google, everyday applications that rely on the web are becoming increasingly complex. This leads to a larger attack surface. Previous tools such as Skipfish and Ratproxy were used to secure server-side code. Now Google has created DOM Snitch to test client-side code.

The extension intercepts JavaScript calls that are closely tied to browser infrastructure. Examples would be document.write or HTMLElement.innerHTML. Once the call is intercepted, the extension records the document URL and a complete trace that assess if the call can be used for cross-site scripting, mixed content, insecure modifications to DOM access, or other client-side issues. The browser extension is real time, meaning that developers can observe DOM modifications as they happen. Google claims the tool has built-in security heuristics and nested views so that developers and testers can spot areas of the application that need more attention. The tools also allows developers to export and share captured DOM modifications in order to perform troubleshooting of issues with their peers.

DOM Snitch is intended for use by developers, testers, security researchers, and advanced users only. It is an experimental extension and will not work flawlessly on every web application. It could cause data loss. Use at your own risk.

Source

ShareShiz Reviewed by ShareShiz on 23rd Jun 2011. Google releases extension to detect risky Javascript behavior Google releases extension to detect risky Javascript behavior By James Woodfin Source Rating: 5

[Daniel]

Plug-in is going to be very popular, among the malware purveyors !