5

One of the most frequent errors that DOM Snitch finds in sites is Untrusted code. He finds it in google.com for example. Here is an output of this tool:

Is it a vulnerability?

Edit: This report of DOM Snitch was caused by enabled Skype Click to Call extension that sends requests while page is loaded

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73

3 Answers3

7

The "Untrusted code" heuristic is intended to flag the inclusion of any resources that are hosted outside the immediate origin or a pre-defined list of safe origins (https://code.google.com/p/domsnitch/wiki/ConfigFiles#safeOrigins). The basis of this heuristic is to provide a signal if you're including resources from an origin you're not supposed to. It does not evaluate whether an included resource is insecure or not.

As for the sample above, the included script is not from DOM Snitch as the extension itself uses inline JavaScript when it needs to pass JavaScript code into the page itself. Please see https://code.google.com/p/domsnitch/source/browse/trunk/glue/Loader.js#26.

radi
  • 136
  • 1
4

The documentation on DOM Snitch is a bit sparse, so I can only guess that by "Untrusted Code" they mean Javascript from a different source than the current page you are on.

The screenshot you provided shows that the "untrusted code" is a chrome extension which the Chrome browser will load through an injected <script> tag on the current page.

The extensions use this so called "content scripts" to parse the current page and do something if it intends to do something with it. Not every extension will be added to every page. This is controlled via the permissions that are requested when installing an extension. Some extensions ask for access to every page (for example Stylish asks for permission to "Your data on all websites"), some for only some pages (Google Mail Checker gets acces to "Your data on google.com"), and some for none (the official GMail app).

So in conclusion, you should be safe, as long as you trust the extension author.

Karthik
  • 2,254
  • 4
  • 19
  • 19
Andreas Arnold
  • 2,353
  • 19
  • 19
  • 1
    Actually, this extension is DOM Snitch yourself. Does it mean that DOM Snitch generates vulnerability that tells only that it parses page. Why DOM Snitch generates this vulnerability? – Andrei Botalov Feb 16 '12 at 15:34
  • 2
    I would not say it is **creating** a vulnerability. Unless I'm missing something, the correct statement would be that it is accidentally **calling itself** a vulnerability. – 700 Software Feb 17 '12 at 00:40
  • Now that's funny. DOM Snitch is calling itself "untrusted code"? But I guess this makes sense, since it doesn't originate fro the same origin as the page itself. But as George said, it doesn't create a vulnerability, it just reports a **possible** vulnerability. – Andreas Arnold Feb 17 '12 at 08:14
1

The “untrusted code” is defined by the origin of a resource relative to the current resource via the "safeOrigins configuration". The way DOM Snitch implements this is in my opinion of little value, since if the current resource was modified with a hostile intent, it would not matter if the hostile element was local or non-local.

Information about safeOrigins configuration:

Used by the untrustedCode heuristic, this field specifies the origins that are considered trusted for hosting scripts, CSS, and Flash movies.

"safeOrigins" : [".example.com", "foo.example.com/example/"]

Source: Configuration files in DOM Snitch

blunders
  • 5,052
  • 4
  • 28
  • 45