JavaScript Static Security Analysis made easy with JSPrime

8 min read Original article ↗

More Related Content

OWASP Top 10 2021 What's New

How to steal and modify data using Business Logic flaws - Insecure Direct Obj...

An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...

Introduction into ES6 JavaScript.

Asynchronous JavaScript Programming

Callbacks, Promises, and Coroutines (oh my!): Asynchronous Programming Patter...

What's hot

PUC SE Day 2019 - SpringBoot

Red Team Tactics for Cracking the GSuite Perimeter

Neat tricks to bypass CSRF-protection

OWASP Top 10 Web Application Vulnerabilities

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015

aclpwn - Active Directory ACL exploitation with BloodHound

Modern UI Development With Node.js

Twitter의 snowflake 소개 및 활용

Bug Bounty Hunter Methodology - Nullcon 2016

Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...

[135] 오픈소스 데이터베이스, 은행 서비스에 첫발을 내밀다.

Server-side template injection- Slides

Kubernetes Forum Seoul 2019: Re-architecting Data Platform with Kubernetes

쿠키런 1년, 서버개발 분투기

Viewers also liked

Efficient Context-sensitive Output Escaping for Javascript Template Engines

Pentesting Your Own Wireless Networks, June 2011 Issue

Armitage – The Ultimate Attack Platform for Metasploit

Client-side JavaScript Vulnerabilities

Pyscho-Strategies for Social Engineering

Pentesting With Web Services in 2012

Building Advanced XSS Vectors

Mobile Application Security

Waf.js: How to Protect Web Applications using JavaScript

AngularJS Security: defend your Single Page Application

Secure java script-for-developers

Similar to JavaScript Static Security Analysis made easy with JSPrime

OWASP SF - Reviewing Modern JavaScript Applications

Node Security: The Good, Bad & Ugly

Web security: Securing Untrusted Web Content in Browsers

Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era

A client-side vulnerability under the microscope!

Webinar–Reviewing Modern JavaScript Applications

Application-security-Javascript.pptx

Web security: Securing untrusted web content at browsers

CS6262_Group9_FinalReport

A look at the prevalence of client-side JavaScript vulnerabilities in web app...

Overview of Vulnerability Scanning.pptx

Safe Wrappers and Sane Policies for Self Protecting JavaScript

BSides Leeds - Performing JavaScript Static Analysis

Manual JavaScript Analysis Is A Bug

Browser exploitation SEC-T 2019 stockholm

Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)

ISSA Journal Paper - JavaScript Infection Model

Recently uploaded

AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites

Salesforce Spring 26 Release Key .pptx

AI Driven & AI Native Development AI native development

Pizza Chain Market Data Scraping for Better Insights Report.pptx

Introduction to Computer Network Concepts.pptx

Top 10 API Automation Testing Tools: Features, Pros & Cons

splunk-peak-threat-hunting-framework.pdf

Information and Communication Technologies and Power

Ai In Courts Ai in courts AI in court AI in court

Corporate AI Training to AI Enable a Company Workforce

IAC 500 Sensor - Humidity Measurement Device

“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius

Artificial Intelligence(AI) full Book.pdf

Regenerative Agriculture Finance : Environmental impact

Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx

Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf

Document Reconstruction using AI & Deep Learning

Scrape YouTube Video Data for Influencer Analytics.pptx

Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...

Cesium formate brine - A brief history - prepared by John Downs in May 2011

JavaScript Static Security Analysis made easy with JSPrime

  • 1.
  • 2.

    Agenda • Introduction tothe problem - Why is it a problem? - What is the impact? - Demo • What is JSPrime? - What is it? - Who is it for? - How it works? - What it can do? - What it can’t do? - Demo • Conclusion and questions

  • 3.

    Who am I? •First time BlackHat speaker (at Vegas too) • Senior Paranoid at Yahoo! Inc. - Security Engineer at eBay Inc. (Past) • Bug Bounty Hunter (FB, Mozilla, Nokia, Foursquare etc) • Speaker at NullCon 2012, Goa, India • Co-author of Ra.2: – DOM XSS Scanner Firefox add-on • 5+ years of security self-studying • Keyboard Player & Sports-bike enthusiast

  • 4.

    Who is Sarathi? •Experienced Application Developer, 7+ years experience • 5+ years at Yahoo! Inc. • Full-time JSPrime Developer • @sarathisahoo, http://fb.me/sarathi.sahoo

  • 5.
  • 6.

    Introduction: The Problem JavaScriptis a dynamic language • Object-based, properties created on demand • Prototype-based inheritance • First-class functions, closures • Runtime types, coercions

  • 7.

    Introduction: The Problem •Client Side Script Injection - DOM XSS • Server Side Script Injection - Node.JS Applications

  • 8.

    Introduction: Why isit problem? • Server side filtering fails for DOM XSS • JavaScript code review is intimidating #iykwim • Library dependent source-to-sink pairs • Not Enough Scanners

  • 9.

    Introduction: The Impact •Same as regular XSS: Reflected or Stored • Script Injection on server side or mobile device can be really lethal. • Node.JS, Firefox OS, Windows 8 Apps (WinJS)

  • 10.
  • 11.

    Introducing JSPrime • Whatis it? • Who is it for? • What it can do? Avoiding False positives • What it can’t do? Knowing the False negatives • Stability & Automation • Demo

  • 12.

    Introducing JSPrime: Whatis it? • JSPrime is a light-weight source code scanner for identifying security issues using static analysis. • It is written in JavaScript to analyze JavaScript. • Uses the open-source ECMAScript parser: Esprima.org

  • 13.

    Introducing JSPrime: Whois it for? • JSPrime is mostly a developer centric tool. • It can aid code reviewers for identifying security issues in 1st pass. • Security professionals may find it useful during penetration testing engagements.

  • 14.

    Introducing JSPrime: Howit works? • Feed the code to Esprima, to generate the AST. • Parse the JSON AST, to locate all sources (including Objects, Prototype) and keeping track of their scopes • Parse the AST, to locate all assignment operations related to the sources, while keeping track of their scopes • Parse the AST to locate sinks and sink aliases, again keeping track of their scope. • Parse AST to locate functions (including closures, anon functions) which are fed with sources as arguments and while tracking down their return values.

  • 15.

    Introducing JSPrime: Howit works? • Once all the sources, source aliases are collected we check for any filter function on them, rejected if found. • Remaining sources, source aliases are tracked for assignments or pass as argument operations to the collected sinks or sink aliases. • We repeat the same process in reverse order to be sure that we reach the same source when we traverse backwards, just to be sure. • Once we confirm that we extract the line numbers and their statement and put it in the report we generate with different color coding

  • 16.

    Introducing JSPrime: Whatit can do? • It can follow code execution order • Handle First-class functions • Analyze Prototype-based inheritance • Understand type-casting • Understand context-based filter functions (has to be manually supplied, though) • Library aware sources and sinks • Variable, Objects, Functions scope aware analysis • Control-flow analysis • Data-flow analysis

  • 17.

    Introducing JSPrime: Whatit can’t do? • It can’t detect 100% of the issues. • It can’t learn sources and sinks automatically • It can’t handle obfuscated JavaScript • It can’t report issues in minified JavaScript, unless beautified. • It can’t analyze dynamically generated JavaScript using ‘eval’ or similar methods

  • 18.

    Introducing JSPrime: Stability& Automation • Handle up to 1500 LoC in a single scan • Node.JS port is available for server-side web service like setup • Largely dependent on Esprima’s robustness, can be the 1st point failure

  • 19.
  • 20.

    Roadmap Improved performance andstability Multiple file scanning Node.JS Project Scanning capability IDE Plugin (Notepad++, WebStorm, ??) More Library Support String manipulation simulation Your suggestions? 

  • 21.
  • 22.

    Credits • Aria Hidayat,Esprima.org • Paul Theriault, Mozilla Security Team • Bishan Singh - @b1shan • Rafay Baloch – rafayhackingarticles.com

  • 23.
  • 24.

Editor's Notes

  • #2 Hello everyone! Good afternoon. I know its kind of tough to be in session right after the lunch. I will try to keep most of you remain awake during the talk. My name is Nishant Das Patnaik and for the next 45 or so I’m here to talk about JavaScript Static Security Analysis made easy with JSPrime. This talk is jointly prepared by me and SarathiSahoo. Before we start I would like to know how many of you are developers here? Javascript developers to be specific? Please raise your hands. Okay …great this talk will be more focused towards the work you do. So without any further adieu, lets begin.
  • #3 We shall discuss about what is the problem? Why is it a problem and some demo of the problem. that we are trying to solve. Then we will discuss about our proof of concept solution that we call: JSPrime. We will try to know what is it? Who is it meant for? How it works? What it can do and what not to expect from it, YET? And finally I will show you some of demos of the tool and then we shall move on to conclusion and questions & answer session. Though I have kept a separate 10 mins slot for Q&A, but please feel free to stop me any moment, should you need any clarification or have any question. Sounds good? Awesome!
  • #4 Okay before we start let me introduce myself to you guys. This is my first time at BlackHat. So please be kind to me, incase something doesn’t work as expected. Haha. I work as a Senior Paranoid at Yahoo, India. Prior to Yahoo I was at eBay. I enjoy hunting bug bounties and have been successful couple of times. I was a speaker at NullCon 2012, it’s a security conference that takes place in Goa, India. There we released a tool, Firefox addon to be specific, called Ra.2 which is a basic and lightweight DOM based XSS scanner. I have been self studying Security for more than 5 years now and have just managed to clear the noob level. I also enjoy playing bollywood tracks on keyboards and grand piano. Offlate I have turned into an sports bike enthusiast. That’s all and enough about me, let proceed.
  • #9 Point #2: How many of you are involved the security review of javascript source codes?Point #4: What scanners/tools do you use? Open source / Commercial? Satisfaction level. Automation capability?
  • #14 Can’t handle compression, obfuscation.