BSides Leeds - Performing JavaScript Static Analysis

© 2017 Synopsys, Inc. 1
Performing JavaScript Static Analysis
A high-level overview of performing code review on JavaScript apps
Lewis Ardern
January 26, 2018

About Me
• Sr. Security Consultant @ Synopsys Software Integrity Group (SIG)
– Formerly Cigital
– 4 years within the security space
– Ph.D. Candidate at Leeds Beckett University
• Prior to Cigital
– B.Sc. in Computer Security and Ethical Hacking
– Founder of the Leeds Ethical Hacking Society
– Software Developer
– Security Consultant
• Synopsys
– Historically all about hardware
– SIG formed to tackle software
– Team consisting of well-known organizations
– BlackDuck
– Coverity
– Codenomicon
– Cigital
– Codiscope
Lewis

Agenda
• JavaScript Landscape
• JavaScript Security Issues
• Static Code Analysis and Review Methods
• Challenges with JavaScript Code Analysis
• Tools and Automation
• Customizing Tools

JavaScript Landscape
From the beginning to now

A Time Once forgotten
• JavaScript was introduced in 1995
• JavaScript as we know it is an implementation of ECMAScript
• The web was predominantly Server Based
– Client: HTML, CSS, and JavaScript
– Server: .NET, PHP, Java, etc
– Database: MSSQL, MySQL, Oracle, etc
• The old view was that you only had to protect the Server
• The client was for aesthetics

Life as we know it
"JavaScript is the most commonly used programming language on earth. Even back-end developers are
more likely to use it than any other language.” – 2016 Stack Overflow Developer Survey
https://insights.stackoverflow.com/survey/2017

Example of Full-Stack JavaScript
Database
MongoDB
Server
Node.js/Express.js
Client
Angular/AngularJS

Lets be REACTtive!
• Every week, new JavaScript frameworks are created
• Frameworks are terrific development tools, but they all come
with their own specific security features, and threats
• Frameworks are sometimes vulnerable by default
– Abusing JavaScript frameworks to bypass XSS mitigations
• Teams transition to different frameworks in rapid succession
• Automated security tools are slow to adopt new frameworks

JavaScript Security Issues
Identifying issues by looking at code

Personal Tips
When working with a new language or framework here are my tips:
• Learn the idioms of the language
• Learn one issue well before moving onto the next
• Always document issues that you have found, and keep the code as a reference
• Use tools but do NOT rely on them

Covered Today
• Captured by automated code scanners
–Dynamic Execution of JavaScript
• Often misunderstood by Developers and Security Consultants
–postMessage
• Not easily detected by automated code scanners
–Client-Side Trust

Dynamic Execution of JavaScript
Method Example
eval(expression) eval("ale"+"rt(document.co"+"okie)");
execScript(expression [, language]) window.execScript("alert(document.cookie)");
setTimeout(expression, milliseconds) setTimeout("alert('XSS')",3000);
setInterval(expression, milliseconds [,
language])
setInterval("alert('XSS')",3000);
JavaScript provides various ways to execute JavaScript dynamically
• DOM-XSS happens quite often through Dynamic Execution of JavaScript
• Avoid the use of user-input in execution queries such as eval

Dynamic Execution of JavaScript
When worlds collide
JavaScript
ExecutionClient
RCEServer

Dynamic Execution of JavaScript Demo
When worlds collide

postMessage
• Websites by default are not able to communicate with each other due to the Same Origin
Policy (SOP)
• window.postMessage method enables cross-origin communication between Window objects
– Page and a popup it spawned
– Page and an embedded iframe
• If the developer does not validate the origin, any website can communicate with the message

postMessage Example

postMessage Exploit

postMessage Remediation

postMessage Demo
Crossing the origin

Client-Side Trust Issues
With the introduction of all of these frameworks, a lot of the heavy load has moved to the client
• Wrong assumptions:
• Data stored on the client is not accessible to attackers
• Data submitted by the client to the server is controlled by the client-side code
• In fact:
• Data stored on the client is almost always accessible to attackers
• Actions performed on the client are fully controlled by attackers
• HTML5 storage persists
• Sensitive information should not be stored in caches pages, forms data, or cookies
• Sensitive information should only be stored in sessionStorage, rather than localStorage
• Sometimes only client-side controls are relied on to protect Sensitive Data
• https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users/

They are client-side checks!

Static Code Analysis and Review Methods
Let’s walk the tree

Static Analysis
• Manual Code Review is painful and can be boring if you have millions of lines to look at
• The term is commonly used to describe the automated process of reviewing the code using
Static Code Analysis (SCA)
• Usually carried out at the implementation phase of a Software Development Life Cycle (SDLC)

Static Analysis
• It helps identify:
– Security vulnerabilities introduced due to coding errors
– Security vulnerabilities deliberately introduced in source code

Source
Code
Tokens Lex Parse Semantics
Abstract
Syntax
Tree
Walk the
tree
Static Analysis Process
Recommended -
https://www.youtube.com/watch?v=DE18fHyZ0GI
https://interpreterbook.com/
http://astexplorer.net
http://resources.jointjs.com/demos/javascript-ast

Challenges with JavaScript Code Analysis
• JavaScript is an object-based prototypal language, which can be dynamically changed at run-
time
• Every JavaScript object has a prototype object, which can be overridden to do something
different:

Variables of JavaScript Can Contain Different Types

In addition, JavaScript Has Type Coercion
• Type Coercion converts one type of object to a new object with similar content, but of a
different type

JavaScript Has Higher Order Functions
• Higher-order functions can take another function as an argument

JavaScript By Default Is Forgiving
• Strongly Typed JavaScript frameworks to created to make developer lives easier
• Strongly typed JavaScript === less bugs

New Languages and Features
• Everyone wants to invent their own way of building modern applications
• GWT - Java to JavaScript
• TypeScript – Typed JavaScript to JavaScript
• Pyscript – Python to JavaScript
• FunScript – FSharp to JavaScript
• More - http://todomvc.com
• The support is low for automated code scanning against these frameworks
• Strongly Typed JavaScript is transpiled to JavaScript before interpreted
• Issues can be identified in the JavaScript code, but need to be mapped back to the problem location
• New features such as ES6/7/8 require updates to the static analysis process

Data Flow Analysis
Explaining Sources and Sinks in JavaScript
• Dynamic Execution of JavaScript
• AngularJS XSS

Commercial products that perform
JavaScript data flow analysis:
• Coverity
• Fortify
• Checkmarx
• AppScan Source
• VeraCode
Tools that look for known issues in
JavaScript libraries:
• Retire.js
• NSP
• Snyk
Tools that look for areas of interest:
• Burp Passive Scanner
• ScanJS (Deprecated)
• JSHint
• JSLint
• ESLint
Tools that deobfuscate JavaScript:
Closure Compiler
JStillery
Use what works for you
JavaScript Static Analysis Tools

ESLint
• ESLint is an open-source pluggable linting utility for JavaScript
• Linters parse ASTs to identify code quality and security issues
• ESLint was created was to allow developers to enforce rules
• Can be hooked into the development release cycle
– Many developers do not allow code to be pushed with ESLint issues flagged
– You can create Git Hooks
– Can be part of CI/CD pipeline
• Allows custom rules to enforce domain specific guidance

ESLint
• ESLint is now the go-to tool to JavaScript developers
https://stateofjs.com/2017/other-tools/

ESLint Security Rules
• ESLint can help security consultants look for points of interest
• Default security rule configs
– NodeJS https://github.com/nodesecurity/eslint-config-nodesecurity
– VanillaJS https://github.com/mozfreddyb/eslint-config-scanjs
– AngularJS https://github.com/LewisArdern/eslint-config-angular-security
– React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules
• Security rules
– eslint-plugin-scanjs
– eslint-plugin-security
– eslint-plugin-react
– eslint-plugin-angular-security
– eslint-plugin-no-wildcard-postmessage
– eslint-plugin-no-unsafe-innerhtml

Problem: In AngularJS security assessments I want to identify problem locations quickly
Solution: Create ESLint rules to run on every assessment as a starting point:
• Current
– Basic rules to identify points of interest
– Identifies:
– Security Misconfigurations
– Expression Injection
– Client-Side Open-Redirection
• Roadmap:
– More rules
– Angular 2/4 support to come
– Maintain state of variable declarations
– Improve the rules to only identify actual issues
Creating Your Own Rules

• Create a test with true positive and false positive
• Walk the JavaScript AST and identify your requirements
• Create a rule from the AST output
• Make sure the test passes
Steps To Create a Rule

Creating a Test

Identifying The Requirements

Create The Rule

ESLint Demo
Capturing points of interest on AngularJS

Summary
• JavaScript is a wonderful and weird language
• Learn types of issues well, to be able to detect them easier
• You have to be concerned of JavaScript on the Client and the Server
• Learning the underlying process of static analysis can help you identify issues easier and
quicker
• Use and extend tools but do NOT rely on them

BSides Leeds - Performing JavaScript Static Analysis

BSides Leeds - Performing JavaScript Static Analysis

More Related Content

What's hot

Similar to BSides Leeds - Performing JavaScript Static Analysis

Recently uploaded

BSides Leeds - Performing JavaScript Static Analysis