Introducing Checkmarx Software Composition Analysis (CxSCA)

Top JavaScript Frameworks for Web Applications

JavaScript is the language behind nearly 90% of all websites today, but what are the top JavaScript frameworks for web applications?

Since first launching back in September 1995, JavaScript continues to dominate as the most popular programming language in the world.

Various JavaScript elements enable web, and mobile, users to interact and manipulate web applications in ways we often take for granted.


JavaScript is responsible for the seemingly magical transitions and real-time experiences that we’re constantly interacting with on our favorite websites without even noticing it. Here are some examples of popular JavaScript frameworks for web applications .


3 of the Top JavaScript Frameworks for Web Applications

angular javascript frameworkAngularJS

Originally developed in 2009, and released in 2010, AngularJS is a structural framework for dynamic web apps. AngularJS picks up where HTML left off by allowing you to extend the HTML vocabulary of your web application which translates into an expressive and readable environment. At the heart of this framework is two-way data binding which synchronizes the view and model when a user provides and input and interacts with the interface.


Taking the crown as the most used JavaScript framework for single page web applications, AngularJS keeps growing in popularity year after year. In the 2016 Stack Overflow Developer Survey, 17.9% of the over 50,000 developers surveyed indicated that they use AngularJS which is a 4.6% increase from 2015. Angular is maintained by Google and an incredibly large community of Angular developers which numbers nearly 80,000 in the AngularJS Google+ community alone.


While games and GUI editors are examples of applications that are not ideal fits for Angular, this framework shines when it comes to CRUD (Create, Read, Update, Delete) applications which make up a majority of applications found on the web.

AngularJS Security Risks

While there are no known common vulnerabilities or exposures (CVEs) for AngularJS, developers should be concerned about a subtype of injection known as content injection, or content spoofing, which is a cause for concern. Content spoofing occurs when an application does not properly handle user-supplied data. Using a parameter value, a malicious party is able to supply content to an application which is reflected back to the user. As a result, the user finds themselves on a modified page under the context of a trusted domain.


While content spoofing is closely related to Cross-site Scripting (XSS), XSS attacks use <script> and other techniques to run JavaScript while content spoofing relies on other techniques for exploits. Ensuring that an application is mitigated against XSS, via methods such as proper output encoding, the application can still be at risk for content spoofing attacks.


Additionally, being able to execute malicious code in the sandbox is one way of introducing XSS attacks into an Angular web app. This sandbox feature was intended to separate different responsibilities within the application, however, if a malicious party wanted to introduce an XSS attack into a web application, this would be the way.


Other security risks facing AngularJS developers include broken authentication and session management, insecure direct object references, security misconfigurations and more and are detailed in-depth in Kevin Hakanson’s OWASP Top 10 for AngularJS video below.


Popular websites built using AngularJS

Youtube (for PS3)

backbone javascript frameworkBackbone.js

Developed, and released, in 2010, Backbone.js boasts a small package size, 7.5KB on production compared to AngularJS’ 144KB, because of its hard dependency on only one JavaScript library, UnderscoreJS as well as jQuery for its full library. As a relatively easy for developers to learn, Backbone.js was designed for building single-page web application and some of the most popular pages on the internet are built with it.


The Backbone.js project is hosted on GitHub and the literal applications of this emerging framework range from CRM platforms, online news sites, multimedia pages and more. From the news angle, USA Today keeps its code base manageable and efficient through the modularity of Backbone.js’ data/model lifecycle. On the interactive side, Hulu used Backbone.js to define itself as the next generation of online video experience with elements such as the smooth transitions during navigation between pages thanks to the dynamic loading of the pages. Backbone.js powers WordPress’ notifications systems via Backbone.js models, collections and views.

Backbone.js Security Risks

Like Angular, Backbone does not have any CVEs, however unlike Angular, Backbone lacks a security contact and security documentation on how to write secure code. Backbone does, however, have a dependency in jQuery which has known CVEs.


Backbone also differs from Angular in the sense that it does not have an Expression sandbox which means that the responsibility to put JavaScript expressions into templates is on the developers. Backbone developers need to ensure that they exercise correct escape functions in order to properly secure their applications.

Popular Websites Built with Backbone.js

Pandora Radio


knockoutjs javascript frameworkKnockout is a standalone JavaScript implementation of the Model-View-ViewModel pattern with templates authored by Steve Sanderson in 2010. Knockout enables developers to code rich and responsive display and editor user interfaces with a clean underlying data model. Knockout helps web applications with a simpler and easier-to-maintain implementation of dynamic updates.


Core Knockout features include elegant dependency tracking, declarative bindings and the fact that it is trivially extensible. Unlike Angular, Knockout works under the model-view-viewmode (MVVM) design paradigm which facilitates a separation of the development of the graphical user interface either via a markup language or GUI code.

Knockout Security Risks

Due to it’s binding capabilities, Knockout’s biggest threat comes from for XSS attacks. As noted on this Knockout security thread on StackExchange, “The vulnerabilities come from the use of eval (or some equivalent) to convert text in the data-bind attribute to executable script. Most of the examples show attacks where malicious script could be executed if it is injected into a data-bind attribute.”

Websites Built with Knockout
Tecmundo Brasil



JavaScript frameworks power some of the most popular sites on the internet, but they also contain potential security risks that could bring immeasurable harm to both you and your users. Checkmarx scans JavaScript static code for security and compliance issues and allows your developers to identify and mitigate issues with the code early on in the software development lifecycle (sSDLC).


jumping 1

For a deeper dig into JavaScript frameworks and security issues, check out our JavaScript vulnerabilities overview page!

Jump to Category