Nishant Das Patnaik, profile picture
Uploaded byNishant Das Patnaik
PPTX, PDF10,714 views

JavaScript Static Security Analysis made easy with JSPrime

This document outlines an agenda for a presentation introducing JSPrime, a static analysis tool for identifying security issues in JavaScript code. It begins with introductions of the speakers and background on JavaScript security problems. A demo shows sample vulnerable code. JSPrime is described as a lightweight, JavaScript-based scanner that uses abstract syntax tree parsing and data/control flow analysis to find potential injection issues while avoiding false positives. Future plans include improved performance, Node.js scanning, and IDE plugins. Questions are invited at the end.

Technology
Related topics:
Web Security Overview

Embed presentation

Downloaded 95 times
Nishant Das Patnaik @dpnishant Sarathi Sahoo @sarathisahoo
Agenda • Introduction to the problem - Why is it a problem? - What is the impact? - Demo • What is JSPrime? - What is it? - Who is it for? - How it works? - What it can do? - What it can’t do? - Demo • Conclusion and questions
Who am I? • First time BlackHat speaker (at Vegas too) • Senior Paranoid at Yahoo! Inc. - Security Engineer at eBay Inc. (Past) • Bug Bounty Hunter (FB, Mozilla, Nokia, Foursquare etc) • Speaker at NullCon 2012, Goa, India • Co-author of Ra.2: – DOM XSS Scanner Firefox add-on • 5+ years of security self-studying • Keyboard Player & Sports-bike enthusiast
Who is Sarathi? • Experienced Application Developer, 7+ years experience • 5+ years at Yahoo! Inc. • Full-time JSPrime Developer • @sarathisahoo, http://fb.me/sarathi.sahoo
JavaScript: the lingua franca of Web & Mobile
Introduction: The Problem JavaScript is a dynamic language • Object-based, properties created on demand • Prototype-based inheritance • First-class functions, closures • Runtime types, coercions
Introduction: The Problem • Client Side Script Injection - DOM XSS • Server Side Script Injection - Node.JS Applications
Introduction: Why is it problem? • Server side filtering fails for DOM XSS • JavaScript code review is intimidating #iykwim • Library dependent source-to-sink pairs • Not Enough Scanners
Introduction: The Impact • Same as regular XSS: Reflected or Stored • Script Injection on server side or mobile device can be really lethal. • Node.JS, Firefox OS, Windows 8 Apps (WinJS)
Vulnerability Demo Some sample codes
Introducing JSPrime • What is it? • Who is it for? • What it can do? Avoiding False positives • What it can’t do? Knowing the False negatives • Stability & Automation • Demo
Introducing JSPrime: What is it? • JSPrime is a light-weight source code scanner for identifying security issues using static analysis. • It is written in JavaScript to analyze JavaScript. • Uses the open-source ECMAScript parser: Esprima.org
Introducing JSPrime: Who is it for? • JSPrime is mostly a developer centric tool. • It can aid code reviewers for identifying security issues in 1st pass. • Security professionals may find it useful during penetration testing engagements.
Introducing JSPrime: How it works? • Feed the code to Esprima, to generate the AST. • Parse the JSON AST, to locate all sources (including Objects, Prototype) and keeping track of their scopes • Parse the AST, to locate all assignment operations related to the sources, while keeping track of their scopes • Parse the AST to locate sinks and sink aliases, again keeping track of their scope. • Parse AST to locate functions (including closures, anon functions) which are fed with sources as arguments and while tracking down their return values.
Introducing JSPrime: How it works? • Once all the sources, source aliases are collected we check for any filter function on them, rejected if found. • Remaining sources, source aliases are tracked for assignments or pass as argument operations to the collected sinks or sink aliases. • We repeat the same process in reverse order to be sure that we reach the same source when we traverse backwards, just to be sure. • Once we confirm that we extract the line numbers and their statement and put it in the report we generate with different color coding
Introducing JSPrime: What it can do? • It can follow code execution order • Handle First-class functions • Analyze Prototype-based inheritance • Understand type-casting • Understand context-based filter functions (has to be manually supplied, though) • Library aware sources and sinks • Variable, Objects, Functions scope aware analysis • Control-flow analysis • Data-flow analysis
Introducing JSPrime: What it can’t do? • It can’t detect 100% of the issues. • It can’t learn sources and sinks automatically • It can’t handle obfuscated JavaScript • It can’t report issues in minified JavaScript, unless beautified. • It can’t analyze dynamically generated JavaScript using ‘eval’ or similar methods
Introducing JSPrime: Stability & Automation • Handle up to 1500 LoC in a single scan • Node.JS port is available for server-side web service like setup • Largely dependent on Esprima’s robustness, can be the 1st point failure
Demo Have patience! 
Roadmap Improved performance and stability Multiple file scanning Node.JS Project Scanning capability IDE Plugin (Notepad++, WebStorm, ??) More Library Support String manipulation simulation Your suggestions? 
Summary Actively work-in-progress Promising project roadmap Open-sourced today www.jsprime.org
Credits • Aria Hidayat, Esprima.org • Paul Theriault, Mozilla Security Team • Bishan Singh - @b1shan • Rafay Baloch – rafayhackingarticles.com
Questions?
THANK YOU
JavaScript Static Security Analysis made easy with JSPrime

More Related Content

PDF
JavaScript Security
byJohann-Peter Hartmann
 
PDF
Armitage – The Ultimate Attack Platform for Metasploit
byIshan Girdhar
 
PPT
Clear concepts of syllogism & key rules
byRakesh Kumar
 
PPTX
Client-side JavaScript Vulnerabilities
byOry Segal
 
PPTX
Pentesting With Web Services in 2012
byIshan Girdhar
 
PDF
Efficient Context-sensitive Output Escaping for Javascript Template Engines
byadonatwork
 
PDF
Pentesting Your Own Wireless Networks, June 2011 Issue
byIshan Girdhar
 
PDF
Pyscho-Strategies for Social Engineering
byIshan Girdhar
 
JavaScript Security
byJohann-Peter Hartmann
 
Armitage – The Ultimate Attack Platform for Metasploit
byIshan Girdhar
 
Clear concepts of syllogism & key rules
byRakesh Kumar
 
Client-side JavaScript Vulnerabilities
byOry Segal
 
Pentesting With Web Services in 2012
byIshan Girdhar
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
byadonatwork
 
Pentesting Your Own Wireless Networks, June 2011 Issue
byIshan Girdhar
 
Pyscho-Strategies for Social Engineering
byIshan Girdhar
 

Similar to JavaScript Static Security Analysis made easy with JSPrime

PDF
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
PPTX
Manual JavaScript Analysis Is A Bug
byLewis Ardern
 
PPTX
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
PPTX
Web security: Securing untrusted web content at browsers
byPhú Phùng
 
PDF
Node Security: The Good, Bad & Ugly
byBishan Singh
 
PPTX
Javascript Security
byjgrahamc
 
PDF
Browser exploitation SEC-T 2019 stockholm
byJameel Nabbo
 
PDF
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
byIBM Rational software
 
PPTX
Safe Wrappers and Sane Policies for Self Protecting JavaScript
byPhú Phùng
 
PDF
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
byNelson Brito
 
PDF
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
PPTX
Web security: Securing Untrusted Web Content in Browsers
byPhú Phùng
 
PDF
CS6262_Group9_FinalReport
byGarrett Mallory
 
PPTX
Webinar–Reviewing Modern JavaScript Applications
bySynopsys Software Integrity Group
 
PPTX
Phu appsec13
bydrewz lin
 
PDF
A client-side vulnerability under the microscope!
byNelson Brito
 
PDF
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
PPT
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
byguestb0af15
 
PDF
Secure java script-for-developers
byn|u - The Open Security Community
 
PPTX
Application-security-Javascript.pptx
byDBALLIANCE Ltd UK
 
OWASP SF - Reviewing Modern JavaScript Applications
byLewis Ardern
 
Manual JavaScript Analysis Is A Bug
byLewis Ardern
 
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
Web security: Securing untrusted web content at browsers
byPhú Phùng
 
Node Security: The Good, Bad & Ugly
byBishan Singh
 
Javascript Security
byjgrahamc
 
Browser exploitation SEC-T 2019 stockholm
byJameel Nabbo
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
byIBM Rational software
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
byPhú Phùng
 
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
byNelson Brito
 
BSides Leeds - Performing JavaScript Static Analysis
byLewis Ardern
 
Web security: Securing Untrusted Web Content in Browsers
byPhú Phùng
 
CS6262_Group9_FinalReport
byGarrett Mallory
 
Webinar–Reviewing Modern JavaScript Applications
bySynopsys Software Integrity Group
 
Phu appsec13
bydrewz lin
 
A client-side vulnerability under the microscope!
byNelson Brito
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
byClubHack
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
byguestb0af15
 
Secure java script-for-developers
byn|u - The Open Security Community
 
Application-security-Javascript.pptx
byDBALLIANCE Ltd UK
 

Recently uploaded

PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
DOCX
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Cloud Security, Serverless Security. Cybersecurity
byEdcelPacayraDuena
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Hybrid Cloud vs Multi-Cloud Strategy 2025
byTeleglobal International
 

JavaScript Static Security Analysis made easy with JSPrime

  • 1.
  • 2.
    Agenda • Introduction tothe problem - Why is it a problem? - What is the impact? - Demo • What is JSPrime? - What is it? - Who is it for? - How it works? - What it can do? - What it can’t do? - Demo • Conclusion and questions
  • 3.
    Who am I? •First time BlackHat speaker (at Vegas too) • Senior Paranoid at Yahoo! Inc. - Security Engineer at eBay Inc. (Past) • Bug Bounty Hunter (FB, Mozilla, Nokia, Foursquare etc) • Speaker at NullCon 2012, Goa, India • Co-author of Ra.2: – DOM XSS Scanner Firefox add-on • 5+ years of security self-studying • Keyboard Player & Sports-bike enthusiast
  • 4.
    Who is Sarathi? •Experienced Application Developer, 7+ years experience • 5+ years at Yahoo! Inc. • Full-time JSPrime Developer • @sarathisahoo, http://fb.me/sarathi.sahoo
  • 5.
    JavaScript: the linguafranca of Web & Mobile
  • 6.
    Introduction: The Problem JavaScriptis a dynamic language • Object-based, properties created on demand • Prototype-based inheritance • First-class functions, closures • Runtime types, coercions
  • 7.
    Introduction: The Problem •Client Side Script Injection - DOM XSS • Server Side Script Injection - Node.JS Applications
  • 8.
    Introduction: Why isit problem? • Server side filtering fails for DOM XSS • JavaScript code review is intimidating #iykwim • Library dependent source-to-sink pairs • Not Enough Scanners
  • 9.
    Introduction: The Impact •Same as regular XSS: Reflected or Stored • Script Injection on server side or mobile device can be really lethal. • Node.JS, Firefox OS, Windows 8 Apps (WinJS)
  • 10.
  • 11.
    Introducing JSPrime • Whatis it? • Who is it for? • What it can do? Avoiding False positives • What it can’t do? Knowing the False negatives • Stability & Automation • Demo
  • 12.
    Introducing JSPrime: Whatis it? • JSPrime is a light-weight source code scanner for identifying security issues using static analysis. • It is written in JavaScript to analyze JavaScript. • Uses the open-source ECMAScript parser: Esprima.org
  • 13.
    Introducing JSPrime: Whois it for? • JSPrime is mostly a developer centric tool. • It can aid code reviewers for identifying security issues in 1st pass. • Security professionals may find it useful during penetration testing engagements.
  • 14.
    Introducing JSPrime: Howit works? • Feed the code to Esprima, to generate the AST. • Parse the JSON AST, to locate all sources (including Objects, Prototype) and keeping track of their scopes • Parse the AST, to locate all assignment operations related to the sources, while keeping track of their scopes • Parse the AST to locate sinks and sink aliases, again keeping track of their scope. • Parse AST to locate functions (including closures, anon functions) which are fed with sources as arguments and while tracking down their return values.
  • 15.
    Introducing JSPrime: Howit works? • Once all the sources, source aliases are collected we check for any filter function on them, rejected if found. • Remaining sources, source aliases are tracked for assignments or pass as argument operations to the collected sinks or sink aliases. • We repeat the same process in reverse order to be sure that we reach the same source when we traverse backwards, just to be sure. • Once we confirm that we extract the line numbers and their statement and put it in the report we generate with different color coding
  • 16.
    Introducing JSPrime: Whatit can do? • It can follow code execution order • Handle First-class functions • Analyze Prototype-based inheritance • Understand type-casting • Understand context-based filter functions (has to be manually supplied, though) • Library aware sources and sinks • Variable, Objects, Functions scope aware analysis • Control-flow analysis • Data-flow analysis
  • 17.
    Introducing JSPrime: Whatit can’t do? • It can’t detect 100% of the issues. • It can’t learn sources and sinks automatically • It can’t handle obfuscated JavaScript • It can’t report issues in minified JavaScript, unless beautified. • It can’t analyze dynamically generated JavaScript using ‘eval’ or similar methods
  • 18.
    Introducing JSPrime: Stability& Automation • Handle up to 1500 LoC in a single scan • Node.JS port is available for server-side web service like setup • Largely dependent on Esprima’s robustness, can be the 1st point failure
  • 19.
  • 20.
    Roadmap Improved performance andstability Multiple file scanning Node.JS Project Scanning capability IDE Plugin (Notepad++, WebStorm, ??) More Library Support String manipulation simulation Your suggestions? 
  • 21.
    Summary Actively work-in-progress Promising projectroadmap Open-sourced today www.jsprime.org
  • 22.
    Credits • Aria Hidayat,Esprima.org • Paul Theriault, Mozilla Security Team • Bishan Singh - @b1shan • Rafay Baloch – rafayhackingarticles.com
  • 23.
  • 24.

Editor's Notes

  • #2 Hello everyone! Good afternoon. I know its kind of tough to be in session right after the lunch. I will try to keep most of you remain awake during the talk. My name is Nishant Das Patnaik and for the next 45 or so I’m here to talk about JavaScript Static Security Analysis made easy with JSPrime. This talk is jointly prepared by me and SarathiSahoo. Before we start I would like to know how many of you are developers here? Javascript developers to be specific? Please raise your hands. Okay …great this talk will be more focused towards the work you do. So without any further adieu, lets begin.
  • #3 We shall discuss about what is the problem? Why is it a problem and some demo of the problem. that we are trying to solve. Then we will discuss about our proof of concept solution that we call: JSPrime. We will try to know what is it? Who is it meant for? How it works? What it can do and what not to expect from it, YET? And finally I will show you some of demos of the tool and then we shall move on to conclusion and questions & answer session. Though I have kept a separate 10 mins slot for Q&A, but please feel free to stop me any moment, should you need any clarification or have any question. Sounds good? Awesome!
  • #4 Okay before we start let me introduce myself to you guys. This is my first time at BlackHat. So please be kind to me, incase something doesn’t work as expected. Haha. I work as a Senior Paranoid at Yahoo, India. Prior to Yahoo I was at eBay. I enjoy hunting bug bounties and have been successful couple of times. I was a speaker at NullCon 2012, it’s a security conference that takes place in Goa, India. There we released a tool, Firefox addon to be specific, called Ra.2 which is a basic and lightweight DOM based XSS scanner. I have been self studying Security for more than 5 years now and have just managed to clear the noob level. I also enjoy playing bollywood tracks on keyboards and grand piano. Offlate I have turned into an sports bike enthusiast. That’s all and enough about me, let proceed.
  • #9 Point #2: How many of you are involved the security review of javascript source codes?Point #4: What scanners/tools do you use? Open source / Commercial? Satisfaction level. Automation capability?
  • #14 Can’t handle compression, obfuscation.