Google launches an open source Chrome security tool

INTERNET GIANT Google has launched an open source Chrome extension that can help with identifying client-side security holes.

The extension, known as DOM Snitch, will help developers, testers and security researchers spot security threats more easily, and it can even do it in real-time, letting people see Document Object Model (DOM) code changes as they happen.

Another key feature are built-in security heuristics, which will automatically spot security concerns in the code and mark them with errors or warnings. It will employ one of four colours to mark these incidences, grey for duplicated modifications, green for a minor issue, yellow for a more serious issue, and red for a definite security threat.

The tool will intercept Javascript calls to potentially vulnerable parts of the web browser's infrastructure, such as document.write or HTMLElement.innerHTML, and will record the URL and a stack trace to help development and security users discover how risky a Javascript call really is.

Google is priding itself on making the tool as user-friendly as possible, claiming it can be used by both advanced and inexperienced developers and testers to quickly identify trouble spots in an application.

Collaboration will also be easier with DOM Snitch, as developers can export and share captured DOM changes, allowing colleagues to see their development and help address new security risks.

Google emphasises that the DOM Snitch tool is experimental and that it is not guaranteed to work flawlessly with all web applications.

The company has previously launched other open source tools for helping developers better understand their applications and help further secure them, such as Skipfish and Ratproxy.

DOM Snitch is available to download for free. µ