SlideShare a Scribd company logo

BSides Leeds - Performing JavaScript Static Analysis

L
Lewis Ardern

Here are the slides from my talk at BSides Leeds on performing JavaScript Static Analysis Video to talk: https://www.youtube.com/watch?v=mGUsCAWwLGg

Technology
1 of 45
Download to read offline
© 2017 Synopsys, Inc. 1 Performing JavaScript Static Analysis A high-level overview of performing code review on JavaScript apps Lewis Ardern January 26, 2018
© 2017 Synopsys, Inc. 2 About Me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) – Formerly Cigital – 4 years within the security space – Ph.D. Candidate at Leeds Beckett University • Prior to Cigital – B.Sc. in Computer Security and Ethical Hacking – Founder of the Leeds Ethical Hacking Society – Software Developer – Security Consultant • Synopsys – Historically all about hardware – SIG formed to tackle software – Team consisting of well-known organizations – BlackDuck – Coverity – Codenomicon – Cigital – Codiscope Lewis
© 2017 Synopsys, Inc. 3 Agenda • JavaScript Landscape • JavaScript Security Issues • Static Code Analysis and Review Methods • Challenges with JavaScript Code Analysis • Tools and Automation • Customizing Tools
© 2017 Synopsys, Inc. 4 JavaScript Landscape From the beginning to now
© 2017 Synopsys, Inc. 5 A Time Once forgotten • JavaScript was introduced in 1995 • JavaScript as we know it is an implementation of ECMAScript • The web was predominantly Server Based – Client: HTML, CSS, and JavaScript – Server: .NET, PHP, Java, etc – Database: MSSQL, MySQL, Oracle, etc • The old view was that you only had to protect the Server • The client was for aesthetics
© 2017 Synopsys, Inc. 6 Life as we know it "JavaScript is the most commonly used programming language on earth. Even back-end developers are more likely to use it than any other language.” – 2016 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2017
© 2017 Synopsys, Inc. 7 Example of Full-Stack JavaScript Database MongoDB Server Node.js/Express.js Client Angular/AngularJS
© 2017 Synopsys, Inc. 8 Lets be REACTtive! • Every week, new JavaScript frameworks are created • Frameworks are terrific development tools, but they all come with their own specific security features, and threats • Frameworks are sometimes vulnerable by default – Abusing JavaScript frameworks to bypass XSS mitigations • Teams transition to different frameworks in rapid succession • Automated security tools are slow to adopt new frameworks
© 2017 Synopsys, Inc. 9 JavaScript Security Issues Identifying issues by looking at code
© 2017 Synopsys, Inc. 10 Personal Tips When working with a new language or framework here are my tips: • Learn the idioms of the language • Learn one issue well before moving onto the next • Always document issues that you have found, and keep the code as a reference • Use tools but do NOT rely on them
© 2017 Synopsys, Inc. 11 Covered Today • Captured by automated code scanners –Dynamic Execution of JavaScript • Often misunderstood by Developers and Security Consultants –postMessage • Not easily detected by automated code scanners –Client-Side Trust
© 2017 Synopsys, Inc. 12 Dynamic Execution of JavaScript Method Example eval(expression) eval("ale"+"rt(document.co"+"okie)"); execScript(expression [, language]) window.execScript("alert(document.cookie)"); setTimeout(expression, milliseconds) setTimeout("alert('XSS')",3000); setInterval(expression, milliseconds [, language]) setInterval("alert('XSS')",3000); JavaScript provides various ways to execute JavaScript dynamically • DOM-XSS happens quite often through Dynamic Execution of JavaScript • Avoid the use of user-input in execution queries such as eval
© 2017 Synopsys, Inc. 13 Dynamic Execution of JavaScript When worlds collide JavaScript ExecutionClient RCEServer
© 2017 Synopsys, Inc. 14 Dynamic Execution of JavaScript Demo When worlds collide
© 2017 Synopsys, Inc. 15 postMessage • Websites by default are not able to communicate with each other due to the Same Origin Policy (SOP) • window.postMessage method enables cross-origin communication between Window objects – Page and a popup it spawned – Page and an embedded iframe • If the developer does not validate the origin, any website can communicate with the message
© 2017 Synopsys, Inc. 16 postMessage Example
© 2017 Synopsys, Inc. 17 postMessage Exploit
© 2017 Synopsys, Inc. 18 postMessage Remediation
© 2017 Synopsys, Inc. 19 postMessage Demo Crossing the origin
© 2017 Synopsys, Inc. 20 Client-Side Trust Issues With the introduction of all of these frameworks, a lot of the heavy load has moved to the client • Wrong assumptions: • Data stored on the client is not accessible to attackers • Data submitted by the client to the server is controlled by the client-side code • In fact: • Data stored on the client is almost always accessible to attackers • Actions performed on the client are fully controlled by attackers • HTML5 storage persists • Sensitive information should not be stored in caches pages, forms data, or cookies • Sensitive information should only be stored in sessionStorage, rather than localStorage • Sometimes only client-side controls are relied on to protect Sensitive Data • https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users/
© 2017 Synopsys, Inc. 21 They are client-side checks!
© 2017 Synopsys, Inc. 22 Static Code Analysis and Review Methods Let’s walk the tree
© 2017 Synopsys, Inc. 23 Static Analysis • Manual Code Review is painful and can be boring if you have millions of lines to look at • The term is commonly used to describe the automated process of reviewing the code using Static Code Analysis (SCA) • Usually carried out at the implementation phase of a Software Development Life Cycle (SDLC)
© 2017 Synopsys, Inc. 24 Static Analysis • It helps identify: – Security vulnerabilities introduced due to coding errors – Security vulnerabilities deliberately introduced in source code
© 2017 Synopsys, Inc. 25 Source Code Tokens Lex Parse Semantics Abstract Syntax Tree Walk the tree Static Analysis Process Recommended - https://www.youtube.com/watch?v=DE18fHyZ0GI https://interpreterbook.com/ http://astexplorer.net http://resources.jointjs.com/demos/javascript-ast
© 2017 Synopsys, Inc. 26 Challenges with JavaScript Code Analysis • JavaScript is an object-based prototypal language, which can be dynamically changed at run- time • Every JavaScript object has a prototype object, which can be overridden to do something different:
© 2017 Synopsys, Inc. 27 Variables of JavaScript Can Contain Different Types
© 2017 Synopsys, Inc. 28 In addition, JavaScript Has Type Coercion • Type Coercion converts one type of object to a new object with similar content, but of a different type
© 2017 Synopsys, Inc. 29 JavaScript Has Higher Order Functions • Higher-order functions can take another function as an argument
© 2017 Synopsys, Inc. 30 JavaScript By Default Is Forgiving • Strongly Typed JavaScript frameworks to created to make developer lives easier • Strongly typed JavaScript === less bugs
© 2017 Synopsys, Inc. 31 New Languages and Features • Everyone wants to invent their own way of building modern applications • GWT - Java to JavaScript • TypeScript – Typed JavaScript to JavaScript • Pyscript – Python to JavaScript • FunScript – FSharp to JavaScript • More - http://todomvc.com • The support is low for automated code scanning against these frameworks • Strongly Typed JavaScript is transpiled to JavaScript before interpreted • Issues can be identified in the JavaScript code, but need to be mapped back to the problem location • New features such as ES6/7/8 require updates to the static analysis process
© 2017 Synopsys, Inc. 32 Data Flow Analysis Explaining Sources and Sinks in JavaScript • Dynamic Execution of JavaScript • AngularJS XSS
© 2017 Synopsys, Inc. 33 Commercial products that perform JavaScript data flow analysis: • Coverity • Fortify • Checkmarx • AppScan Source • VeraCode Tools that look for known issues in JavaScript libraries: • Retire.js • NSP • Snyk Tools that look for areas of interest: • Burp Passive Scanner • ScanJS (Deprecated) • JSHint • JSLint • ESLint Tools that deobfuscate JavaScript: Closure Compiler JStillery Use what works for you JavaScript Static Analysis Tools
© 2017 Synopsys, Inc. 34 ESLint • ESLint is an open-source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created was to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git Hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
© 2017 Synopsys, Inc. 35 ESLint • ESLint is now the go-to tool to JavaScript developers https://stateofjs.com/2017/other-tools/
© 2017 Synopsys, Inc. 36 ESLint Security Rules • ESLint can help security consultants look for points of interest • Default security rule configs – NodeJS https://github.com/nodesecurity/eslint-config-nodesecurity – VanillaJS https://github.com/mozfreddyb/eslint-config-scanjs – AngularJS https://github.com/LewisArdern/eslint-config-angular-security – React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules • Security rules – eslint-plugin-scanjs – eslint-plugin-security – eslint-plugin-react – eslint-plugin-angular-security – eslint-plugin-no-wildcard-postmessage – eslint-plugin-no-unsafe-innerhtml
© 2017 Synopsys, Inc. 37 Problem: In AngularJS security assessments I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: • Current – Basic rules to identify points of interest – Identifies: – Security Misconfigurations – Expression Injection – Client-Side Open-Redirection • Roadmap: – More rules – Angular 2/4 support to come – Maintain state of variable declarations – Improve the rules to only identify actual issues Creating Your Own Rules
© 2017 Synopsys, Inc. 38 • Create a test with true positive and false positive • Walk the JavaScript AST and identify your requirements • Create a rule from the AST output • Make sure the test passes Steps To Create a Rule
© 2017 Synopsys, Inc. 39 Creating a Test
© 2017 Synopsys, Inc. 40 Identifying The Requirements
© 2017 Synopsys, Inc. 41 Create The Rule
© 2017 Synopsys, Inc. 42 ESLint Demo Capturing points of interest on AngularJS
© 2017 Synopsys, Inc. 43 Summary • JavaScript is a wonderful and weird language • Learn types of issues well, to be able to detect them easier • You have to be concerned of JavaScript on the Client and the Server • Learning the underlying process of static analysis can help you identify issues easier and quicker • Use and extend tools but do NOT rely on them
Thank You
BSides Leeds - Performing JavaScript Static Analysis

Recommended

Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 

Recommended

Dangerous Design Patterns In One Line
Dangerous Design Patterns In One LineDangerous Design Patterns In One Line
Dangerous Design Patterns In One Line
Lewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!So you thought you were safe using AngularJS.. Think again!
So you thought you were safe using AngularJS.. Think again!
Lewis Ardern
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
Lewis Ardern
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
Dinis Cruz
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
Matthew Valdes
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 

More Related Content

What's hot

Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
Lewis Ardern
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
OWASP
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
Dinis Cruz
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
OWASP
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
Matthew Valdes
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 

What's hot (20)

Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJS
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
 
Syntribos API Security Test Automation
Syntribos API Security Test AutomationSyntribos API Security Test Automation
Syntribos API Security Test Automation
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 

Similar to BSides Leeds - Performing JavaScript Static Analysis

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
Talent Agile @ Avanade
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
Synopsys Software Integrity Group
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
DevOps.com
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
Denim Group
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
TriNimbus
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Oleg Nenashev
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
Synopsys Software Integrity Group
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
Denim Group
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
 
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesDon’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Synopsys Software Integrity Group
 
Implement DevOps Like a Unicorn—Even If You’re Not One
Implement DevOps Like a Unicorn—Even If You’re Not OneImplement DevOps Like a Unicorn—Even If You’re Not One
Implement DevOps Like a Unicorn—Even If You’re Not One
TechWell
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
Case study
Case studyCase study
Case study
karan saini
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 

Similar to BSides Leeds - Performing JavaScript Static Analysis (20)

Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 
Découvrez le Rugged DevOps
Découvrez le Rugged DevOpsDécouvrez le Rugged DevOps
Découvrez le Rugged DevOps
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program How to Integrate AppSec Testing into your DevOps Program
How to Integrate AppSec Testing into your DevOps Program
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentationJustin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
Justin Fox_NuData Security_A Master_Card_Company_June 9 2017_presentation
 
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
Belarus Jenkins Meetup - Managing security in Jenkins with configuration-as-c...
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
 
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware BluesDon’t WannaCry? Here’s How to Stop Those Ransomware Blues
Don’t WannaCry? Here’s How to Stop Those Ransomware Blues
 
Implement DevOps Like a Unicorn—Even If You’re Not One
Implement DevOps Like a Unicorn—Even If You’re Not OneImplement DevOps Like a Unicorn—Even If You’re Not One
Implement DevOps Like a Unicorn—Even If You’re Not One
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Case study
Case studyCase study
Case study
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 

BSides Leeds - Performing JavaScript Static Analysis

  • 1. © 2017 Synopsys, Inc. 1 Performing JavaScript Static Analysis A high-level overview of performing code review on JavaScript apps Lewis Ardern January 26, 2018
  • 2. © 2017 Synopsys, Inc. 2 About Me • Sr. Security Consultant @ Synopsys Software Integrity Group (SIG) – Formerly Cigital – 4 years within the security space – Ph.D. Candidate at Leeds Beckett University • Prior to Cigital – B.Sc. in Computer Security and Ethical Hacking – Founder of the Leeds Ethical Hacking Society – Software Developer – Security Consultant • Synopsys – Historically all about hardware – SIG formed to tackle software – Team consisting of well-known organizations – BlackDuck – Coverity – Codenomicon – Cigital – Codiscope Lewis
  • 3. © 2017 Synopsys, Inc. 3 Agenda • JavaScript Landscape • JavaScript Security Issues • Static Code Analysis and Review Methods • Challenges with JavaScript Code Analysis • Tools and Automation • Customizing Tools
  • 4. © 2017 Synopsys, Inc. 4 JavaScript Landscape From the beginning to now
  • 5. © 2017 Synopsys, Inc. 5 A Time Once forgotten • JavaScript was introduced in 1995 • JavaScript as we know it is an implementation of ECMAScript • The web was predominantly Server Based – Client: HTML, CSS, and JavaScript – Server: .NET, PHP, Java, etc – Database: MSSQL, MySQL, Oracle, etc • The old view was that you only had to protect the Server • The client was for aesthetics
  • 6. © 2017 Synopsys, Inc. 6 Life as we know it "JavaScript is the most commonly used programming language on earth. Even back-end developers are more likely to use it than any other language.” – 2016 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2017
  • 7. © 2017 Synopsys, Inc. 7 Example of Full-Stack JavaScript Database MongoDB Server Node.js/Express.js Client Angular/AngularJS
  • 8. © 2017 Synopsys, Inc. 8 Lets be REACTtive! • Every week, new JavaScript frameworks are created • Frameworks are terrific development tools, but they all come with their own specific security features, and threats • Frameworks are sometimes vulnerable by default – Abusing JavaScript frameworks to bypass XSS mitigations • Teams transition to different frameworks in rapid succession • Automated security tools are slow to adopt new frameworks
  • 9. © 2017 Synopsys, Inc. 9 JavaScript Security Issues Identifying issues by looking at code
  • 10. © 2017 Synopsys, Inc. 10 Personal Tips When working with a new language or framework here are my tips: • Learn the idioms of the language • Learn one issue well before moving onto the next • Always document issues that you have found, and keep the code as a reference • Use tools but do NOT rely on them
  • 11. © 2017 Synopsys, Inc. 11 Covered Today • Captured by automated code scanners –Dynamic Execution of JavaScript • Often misunderstood by Developers and Security Consultants –postMessage • Not easily detected by automated code scanners –Client-Side Trust
  • 12. © 2017 Synopsys, Inc. 12 Dynamic Execution of JavaScript Method Example eval(expression) eval("ale"+"rt(document.co"+"okie)"); execScript(expression [, language]) window.execScript("alert(document.cookie)"); setTimeout(expression, milliseconds) setTimeout("alert('XSS')",3000); setInterval(expression, milliseconds [, language]) setInterval("alert('XSS')",3000); JavaScript provides various ways to execute JavaScript dynamically • DOM-XSS happens quite often through Dynamic Execution of JavaScript • Avoid the use of user-input in execution queries such as eval
  • 13. © 2017 Synopsys, Inc. 13 Dynamic Execution of JavaScript When worlds collide JavaScript ExecutionClient RCEServer
  • 14. © 2017 Synopsys, Inc. 14 Dynamic Execution of JavaScript Demo When worlds collide
  • 15. © 2017 Synopsys, Inc. 15 postMessage • Websites by default are not able to communicate with each other due to the Same Origin Policy (SOP) • window.postMessage method enables cross-origin communication between Window objects – Page and a popup it spawned – Page and an embedded iframe • If the developer does not validate the origin, any website can communicate with the message
  • 16. © 2017 Synopsys, Inc. 16 postMessage Example
  • 17. © 2017 Synopsys, Inc. 17 postMessage Exploit
  • 18. © 2017 Synopsys, Inc. 18 postMessage Remediation
  • 19. © 2017 Synopsys, Inc. 19 postMessage Demo Crossing the origin
  • 20. © 2017 Synopsys, Inc. 20 Client-Side Trust Issues With the introduction of all of these frameworks, a lot of the heavy load has moved to the client • Wrong assumptions: • Data stored on the client is not accessible to attackers • Data submitted by the client to the server is controlled by the client-side code • In fact: • Data stored on the client is almost always accessible to attackers • Actions performed on the client are fully controlled by attackers • HTML5 storage persists • Sensitive information should not be stored in caches pages, forms data, or cookies • Sensitive information should only be stored in sessionStorage, rather than localStorage • Sometimes only client-side controls are relied on to protect Sensitive Data • https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users/
  • 21. © 2017 Synopsys, Inc. 21 They are client-side checks!
  • 22. © 2017 Synopsys, Inc. 22 Static Code Analysis and Review Methods Let’s walk the tree
  • 23. © 2017 Synopsys, Inc. 23 Static Analysis • Manual Code Review is painful and can be boring if you have millions of lines to look at • The term is commonly used to describe the automated process of reviewing the code using Static Code Analysis (SCA) • Usually carried out at the implementation phase of a Software Development Life Cycle (SDLC)
  • 24. © 2017 Synopsys, Inc. 24 Static Analysis • It helps identify: – Security vulnerabilities introduced due to coding errors – Security vulnerabilities deliberately introduced in source code
  • 25. © 2017 Synopsys, Inc. 25 Source Code Tokens Lex Parse Semantics Abstract Syntax Tree Walk the tree Static Analysis Process Recommended - https://www.youtube.com/watch?v=DE18fHyZ0GI https://interpreterbook.com/ http://astexplorer.net http://resources.jointjs.com/demos/javascript-ast
  • 26. © 2017 Synopsys, Inc. 26 Challenges with JavaScript Code Analysis • JavaScript is an object-based prototypal language, which can be dynamically changed at run- time • Every JavaScript object has a prototype object, which can be overridden to do something different:
  • 27. © 2017 Synopsys, Inc. 27 Variables of JavaScript Can Contain Different Types
  • 28. © 2017 Synopsys, Inc. 28 In addition, JavaScript Has Type Coercion • Type Coercion converts one type of object to a new object with similar content, but of a different type
  • 29. © 2017 Synopsys, Inc. 29 JavaScript Has Higher Order Functions • Higher-order functions can take another function as an argument
  • 30. © 2017 Synopsys, Inc. 30 JavaScript By Default Is Forgiving • Strongly Typed JavaScript frameworks to created to make developer lives easier • Strongly typed JavaScript === less bugs
  • 31. © 2017 Synopsys, Inc. 31 New Languages and Features • Everyone wants to invent their own way of building modern applications • GWT - Java to JavaScript • TypeScript – Typed JavaScript to JavaScript • Pyscript – Python to JavaScript • FunScript – FSharp to JavaScript • More - http://todomvc.com • The support is low for automated code scanning against these frameworks • Strongly Typed JavaScript is transpiled to JavaScript before interpreted • Issues can be identified in the JavaScript code, but need to be mapped back to the problem location • New features such as ES6/7/8 require updates to the static analysis process
  • 32. © 2017 Synopsys, Inc. 32 Data Flow Analysis Explaining Sources and Sinks in JavaScript • Dynamic Execution of JavaScript • AngularJS XSS
  • 33. © 2017 Synopsys, Inc. 33 Commercial products that perform JavaScript data flow analysis: • Coverity • Fortify • Checkmarx • AppScan Source • VeraCode Tools that look for known issues in JavaScript libraries: • Retire.js • NSP • Snyk Tools that look for areas of interest: • Burp Passive Scanner • ScanJS (Deprecated) • JSHint • JSLint • ESLint Tools that deobfuscate JavaScript: Closure Compiler JStillery Use what works for you JavaScript Static Analysis Tools
  • 34. © 2017 Synopsys, Inc. 34 ESLint • ESLint is an open-source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created was to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git Hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
  • 35. © 2017 Synopsys, Inc. 35 ESLint • ESLint is now the go-to tool to JavaScript developers https://stateofjs.com/2017/other-tools/
  • 36. © 2017 Synopsys, Inc. 36 ESLint Security Rules • ESLint can help security consultants look for points of interest • Default security rule configs – NodeJS https://github.com/nodesecurity/eslint-config-nodesecurity – VanillaJS https://github.com/mozfreddyb/eslint-config-scanjs – AngularJS https://github.com/LewisArdern/eslint-config-angular-security – React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules • Security rules – eslint-plugin-scanjs – eslint-plugin-security – eslint-plugin-react – eslint-plugin-angular-security – eslint-plugin-no-wildcard-postmessage – eslint-plugin-no-unsafe-innerhtml
  • 37. © 2017 Synopsys, Inc. 37 Problem: In AngularJS security assessments I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: • Current – Basic rules to identify points of interest – Identifies: – Security Misconfigurations – Expression Injection – Client-Side Open-Redirection • Roadmap: – More rules – Angular 2/4 support to come – Maintain state of variable declarations – Improve the rules to only identify actual issues Creating Your Own Rules
  • 38. © 2017 Synopsys, Inc. 38 • Create a test with true positive and false positive • Walk the JavaScript AST and identify your requirements • Create a rule from the AST output • Make sure the test passes Steps To Create a Rule
  • 39. © 2017 Synopsys, Inc. 39 Creating a Test
  • 40. © 2017 Synopsys, Inc. 40 Identifying The Requirements
  • 41. © 2017 Synopsys, Inc. 41 Create The Rule
  • 42. © 2017 Synopsys, Inc. 42 ESLint Demo Capturing points of interest on AngularJS
  • 43. © 2017 Synopsys, Inc. 43 Summary • JavaScript is a wonderful and weird language • Learn types of issues well, to be able to detect them easier • You have to be concerned of JavaScript on the Client and the Server • Learning the underlying process of static analysis can help you identify issues easier and quicker • Use and extend tools but do NOT rely on them