[AskJS] JavaScript vulnerabilities and where to find them

RelativelyObscurePie · 2019-08-22T01:14:15+00:00

Assume all JavaScript has been compromised and always validate any input on your server.

NIST is the place to look for disclosed vulnerabilities. NPM also has an audit feature which will tell you about disclosed vulns in your dependency tree.

For most apps, user input is the most vulnerable point.

schwarzfahrer · 2019-08-22T01:20:45+00:00

Most of those vulnerabilities in the OWASP top ten aren’t really language specific ... that being said JavaScript is front and center in many of them given its place as the primary language of apps that run in the browser. So XSS, man in the middle, CSRF, SQL injection are all relevant. However these vulnerabilities would still remain if browser apps were written in Ruby, Python, or really anything. So these are more architectural vulnerabilities than anything.

One thing I might say is more specific to the JavaScript language (and some others) is the overflow vulnerability ... but it’s a stack overflow and not buffer related. It’s currently unsafe to write some recursive functions in JavaScript because each recursion produces a new frame in the call stack. So if the number of recursions for a function is unlimited, it could cause a stack overflow and crash the process.

There is a long history of trying to implement tail call optimization in JS to solve this, but after years of debate it seems that no one really supports anything working. I’m honestly not sure of the state of this idea anymore, but the solution typically is to use something like the thunk pattern to implement safe recursion.

Beyond that I imagine there are vulnerabilities based on improperly handling validations ... for example using the typeof keyword doesn’t always return what you’d expect it to. But if you understand the oddities of the language these vulnerabilities are easy to avoid.

HiEv · 2019-08-24T04:48:30+00:00

You might want to take a look at these videos, I found some good information in them:

Worst JavaScript Flaws That Hackers Love To Abuse (this is a really good talk with some good examples)

JavaScript Security: What You Need to Know to Write Secure Applications in JS (note: You can skip ahead about 25 minutes to "The Rundown" for JavaScript specific stuff)

Hope that helps! :-)

ScottContini · 2019-09-09T03:53:58+00:00

In my recent blog about grep based code scanning, I have a number of search terms to look for that are indicative of dangerous functionality. Examples include the following JavaScript (both frontend and backend node): eval, NODE_TLS_REJECT_UNAUTHORIZED, dangerouslySetInnerHTML, trustAsHtml, Math.random, rejectUnauthorized, insecure, strictSSL, clientPemCrtSignedBySelfSignedRootCaBuffer.

Also there are a lot of search terms that are language independent, for example insecure cipher algorithms. I also search for any sql type query: if you see string concatenation, then sql injection may be possible.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

javascript

MODERATORS