JavaScript Overview and Vulnerabilities

javascript vulnerabilities
Brief History of JavaScript:

What are some of the most common JavaScript vulnerabilities? Where and why was JavaScript created? Which frameworks are supported by Checkmarx? Read on to find the answers to these and more.

When was JavaScript created?

JavaScript (JS) was developed in just 10 days by Netscape Communications Corporation programmer Brendan Eich who went on to co-found the Mozilla Project. When it first shipped in September 1995 in Netscape Navigator, JavaScript was known as LiveScript and it was originally developed under the name Mocha. The name change from LiveScript to JavaScript came at the same time as Netscape’s adoption of Java support in its browser and, despite the confusion, the name change to JavaScript worked as a marketing tactic to capitalize on the hot programming language of the time, Java despite the fact that JavaScript has almost nothing to do with Java.

Why was JavaScript created?

JavaScript was created when Netscape decided that two languages were needed for their browser, rather than just Java. Eich explained that Java was seen as a “component language” used by higher priced programmers and that he wanted to create a “glue language” for Web designers and casual programmers, or “weekend-warriors,” who were building Web content (images, Java applets, plugins).

As a “glue language,” programmers would use JavaScript to assemble components and automate their interactions. JavaScript is found inside of HTML documents and enables interactions with web pages in ways that are not possible through regular HTML. JavaScript allows us to zoom in and out of maps, play online games and automatically schedule appointments.

In 2016, 88.1% of all websites use JavaScript including Facebook, Youtube, Google and Wikipedia and thanks to JavaScript elements that are often taken for granted–real-time notifications for likes, comments, etc.– are loaded without having to reload the web page.

JavaScript Vulnerabilities:

Hackers use JavaScript exploitation tools to attack websites, organizations and individuals. JavaScript vulnerabilities can be both client-side problems and enterprise nightmares as hackers are able to steal server-side data and infect users with malware.

Cross-Site Scripting (XSS) Attacks

The most common application vulnerability exploit in web applications is cross-site scripting (XSS). Through the manipulation of JavaScript and HTML scripts, hackers execute malicious scripts (also known as “malicious payloads”) using an unsuspecting user’s web browser which can result in the script being embedded in the web page they are visiting. Every time that user visits the web page, or a predefined action is performed, the malicious script is triggered and executed.

XSS attacks have the potential to cause serious threats to companies and enterprise accounts which can result in identity theft and data theft. By executing XSS attacks, hackers are able to inject and spread viruses and worms throughout the company’s network, access clipboard data and browsing histories and even gain remote control of the browser which helps them search for and identify other possible vulnerabilities which can be used for further XSS attacks.

Due to JavaScript’s presence in almost every element of the web browsing experience, applications written using JavaScript are the most common victims for XSS attacks.

Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is a form of exploit that occurs when unauthorized commands, which would be normally rejected, which results in the website being tricked to believe that the malicious user is an authorized user via a forged authorization. Upon a successful exploit of this vulnerability, the hacker is able to access functions of the web application that would normally be denied.

Risks associated with CSRF attacks include impersonation and identity riding, modification of application data using the victim’s credentials and permissions, launching organized attacks against all of the application’s users, exploitation of vulnerable DSL routers and more.

CSRF is often pronounced “sea-surf” and is alternatively abbreviated as XSRF.

JavaScript Frameworks Supported by Checkmarx

Node.js

node.js

While not a JavaScript framework itself, a majority of Node.js modules are written in JavaScript and developers are able to add and write new modules in JavaScript. Node.js has an event-driven architecture that is used in many popular real-time web applications which include communication tools and in-browser games and is the most leading cross-platform runtime environment for server side applications written in JavaScript. Trusted by some of the biggest names on the web, including GoDaddy, Groupon, IBM, Netflix, etc., Node.js can also utilize code written in Edge.js, Lua, Julia and COBOL.

Vulnerabilities associated with Node.js include application layer DDoS, attacks which can bring servers to their knees, brute-force attacks and business logic attacks.

JQuery

download

JQuery, the most popular JavaScript library, is a cross-platform library designed to simplify the client-side scripting of HTML and can be found on 65% of the top 10 million most visited websites. The advantages of using JQuery include the fact that it encourages the separation of JavaScript and HTML, that it promotes brevity and clarity, the elimination of cross-browser incompatibilities and the fact that it is extensible as new events, elements and methods can be easily added and subsequently reused.

JQuery security vulnerabilities include cross site scripting (XSS) as well as “JavaScript Hijacking.”

Ajax

ajax

Ajax, which first appeared in 2005, is short for “asynchronous JavaScript and XML.” Ajax allows web applications to send and retrieve data from a server in the background without disturbing the appearance and actions of an existing page. Ajax, however, does have its drawbacks which include the inability to use pages that are dependant on Ajax if a browser does not support JavaScript and the fact that asynchronous callback-style of programming can be hard to maintain, test and debug.

knockout.js

knockout

Knockout is a standalone JavaScript implementation authored by Steve Sanderson, a Microsoft employee, was released in 2010 and is based on the underlying principles of:

-A clear separation between domain data, view components and data to be displayed
-The presence of a clearly defined layer of specialized code to manage the relationships between the view components

Knockout’s features include declarative bindings, automatic UI refresh, dependency tracking and templating. Knockout is an, “attacker’s best friend” because of the way it allows to execute arbitrary JavaScript by injecting into HTML5 data attributes. To read more about the Knockout specific injection attacks, click here.

Angular.JS

angular

AngularJS is an open-source web application framework that was released in 2010 and is maintained by Google and a community of individuals and companies. Created based on the belief that declarative programming should be used to create user interfaces and connect software components. AngularJS is much more lightweight that a typical framework and as a result, many confuse it with a library.

Developers do need to worry about security holes in AngularJS which include injections, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfigurations and more.

ExpressJSexpress

 

Authored by TJ Holowaychuk, ExpressJS is the “most starred NodeJS related package on GitHub, and averages over a million downloads every week.” In June 2014, AngularJS rights were acquired by Strongloop, which was subsequently acquired by IBM in 2015.

Jadejade

 

Released in 1996 by the New Zealand-based Jade Software Corporation, JADE is a, “proprietary object-oriented software development and deployment platform product.” JADE was developed in order to create a seamlessly integrated programming language to allow developers to create one application from end-to-end rather than having to write three different applications for the database server, application server, and presentation client in addition to the code needed for them to communicate with each other.

Backbonebackbone

 

Backbone.js gives structure to web applications by, “providing models with key-value binding and custom events, collections with a rich API of enumerable functions, views with declarative event handling, and connects it all to your existing API over a RESTful JSON interface.”

Developed by Jeremy Ashkenas and released in 2010, a larger number of popular web applications, such as Airbnb, Drupal 8, LinkedIn and Pandora are built with Backbone.js.

Handlebars

handlebars

Handlebars, developed by Yehuda Katz in 2010, is a semantic web template system and is a superset of Mustache that can render Mustache template as well as Handlebar template. Mustache templates can be swapped out with Handlebars in most cases.

For a full list of all the programming languages supported by Checkmarx, click here.

JavaScript Static Code Analysis

Despite being used in the most popular websites that we frequent, JavaScript does, unfortunately, come with its own unique risks. Static code analysis is the best way to ensure that security vulnerabilities don’t make it into your code and that security is a top priority in every element of the software development life cycle.

What makes Checkmarx the best solution for JavaScript static code analysis?

-Simple customization of the scanning rules to deliver the exact reports you need
-Choose which preset to apply to your code:
-Adherence with a specific security standard
-Compliance with PCI DSS
-Enforcement of best coding practices
-Create reports with all the information that you need which represent the findings

Your development team will be able to focus on resolving any issues quickly when you quickly give them the exact information that they need which will result in fewer problems which are much easier to fix as a result of the pre-release testing.

For more info on how Checkmarx can secure your JavaScript code, click here.

REQUEST A DEMO

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.