New Security Testing Tool from Google

June 26, 2011

I’ve commented here many times about Google’s efforts to expand the usage and usability of the Web, efforts that make perfect sense given that Google makes its money selling Web advertising.  More people looking at more ads is a Good Thing for Google’s bottom line.  As part of its effort, the company has released a number of software tools, most notably the Chrome browser.  Its other projects have included Go, a systems programming language; SPDY, a new Web protocol; and new image formats, WebP and WebM.   Many of these tools have been developed as open source projects, or have open source versions available.

Google has also introduced a number of testing tools for Web developers;  I’ve mentioned Sputnik and Skipfish here before; the ratproxy security tool is another open source offering.    Last week, Google announced the availability of a new experimental web security tool, focused on the Document Object Model [DOM] context, called DOM Snitch.

As existing tools focus mostly on testing server-side code, today we are happy to introduce DOM Snitch — an experimental* Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code.

The DOM Snitch extension works by intercepting JavaScript calls to significant, potentially dangerous parts of the browser infrastructure, and logs the details, such as the relevant URL, plus  a stack trace.  It enables developers to record the behavior of an application, and to share the results, without the necessity of stepping through the code with a debugger.   The tool also includes some security heuristics that attempt to flag problematic usage.

Further information on DOM Snitch is available at the project page, including documentation and download links.  DOM Snitch is licensed under the open source Apache 2.0 license.

%d bloggers like this: