Google extends Chrome to spot insecure code

Google has updated its Chrome browser with an experimental extension designed to identify potentially insecure coding practices.

DOM Snitch has been built for developers and testers to help them spot problems in client-side code.

"To do this, we have adopted several approaches to intercepting JavaScript calls to key and potentially dangerous browser infrastructure such as document.write or HTMLElement.innerHTML (among others)," explained Google Zurich security test engineer Radoslav Vasilev in a blog post.

"Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the same-origin policy for DOM access, or other client-side issues."

Vasilev added that the tool would enable developers to spot insecure practices as they happen inside the browser, meaning they don't have to pause the app and go step-by-step with a debugging tool.

DOM Snitch also features security heuristics and nested views to allows even less experienced testers to spot potential problem areas. They are also able to export and share any insecure code found by the tool with others, said Vasilev.

Web application vulnerabilities are one of the most common ways for hackers to gain entry to systems, and often come about simply because security is not designed into the software from the beginning.

In January, application security vendor Veracode called on independent standards bodies to put their weight behind its list of the top 10 mobile app risks, in order to help drive the development of more secure applications.

The firm also introduced a free cross-site scripting (XSS) scanning service designed to enable developers to eradicate the errors responsible for more than half of the word's web application vulnerabilities.