Presentation is loading. Please wait.

Presentation is loading. Please wait.

Javascript Static Code Analyzer

Published byBarnaby Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "Javascript Static Code Analyzer"— Presentation transcript:

1 Javascript Static Code Analyzer
Héctor Quartino

2 About me 10+ years of developer experience.
Multiple languages / technologies (Java, C#, JS). Curious about Security for a while. AppSec NetSuite.

3 About this talk Motivation.
A bit of theory on the concepts behind static code analyzers. Related Javascript tools. Why would one want to use a Javascript Static Code Analyzer in Javascript? How does a Static Code Analyzer work? Can one leverage existing tools from the Javascript community to achieve this goal?

4 Static Code Analysis – What & Why?
Runs on source code (white-box testing). Can use project specific rules. Can be automated. Highly effective with specific patterns. Early detection of potential issues. Static Code Analyzers are thorough and consistent (unlike a human ). Early detection is paramount because it makes it faster & cheaper to fix defects.

5 Why analyze Javascript code?
Scripting language of the Web. Web Applications vs. Native Apps on mobile. JavaScript Server Applications Rhino NodeJS IoT Embedded Devices Home Automation Robotics DIY Trend of WebApps: websites are nowadays full fledged apps. War of native applications: should one do a native app or do a shell that contains a WebApp? Server Applications: Javascript is here to stay, with Node being available on as many platforms as Java (and there are even projects that run Node applications in JEE containers). IoT: Bring the RPi!

6 Why a Javascript Static Code Analyzer?
Scenario of 100% Javascript Applications is more common. Testing infrastructure in Javascript too! Goal: One language can give more flexibility to teams. Goal: Run static code analysis on CI / nightly builds. Goal: Leverage existing tools available in the Javascript community. One language means that developers and quality engineers from different layers do not have a language barrier.

7 Static Code Analysis Limitations
False positives Need a way to filter successive scan results. False negatives Some vulnerabilities need to be discovered via dynamic code analysis. Unaware of custom APIs, cross layer vulnerabilities, or configuration files. Add custom rules to mitigate.

8 A few compiler concepts
Compiler: transforms code from one language to another. Input Lexer Tokens Parser AST Optimizer IR Generator Output

9 A few compiler concepts
Compiler: transforms code from one language to another. Input Lexer Tokens Parser AST Optimizer IR Generator Output For many languages, the compiler already catches some types of bugs, i.e. type checking errors. Used by Static Analysis

10 A few compiler concepts (cont.)
Lexer: transforms code into tokens. Lexical Grammar Type Value Keyword var Identifier foo Punctuator = bar ; Input Lexer Tokens var foo = bar;

11 A few compiler concepts (cont.)
Parser: transforms tokens into AST. Abstract Syntax Tree: represents program structure. Syntactic Grammar Type Value Keyword var Identifier foo Punctuator = bar ; VariableDeclaration Tokens Parser AST foo bar

12 A few Static Code Analyzer techniques
Data Flow Analysis Collect dynamic information about data by analyzing static information. Determine the Control Flows for a given program. pathA if (a > 1) { pathA(a); } else { pathB(1); } if end-if pathB

13 A few Static Code Analyzer techniques
Taint Analysis: Trace variables from user inputs (taints) to potentially vulnerable functions (sinks). var searchTerms = $('q').val(); var trimmedSearchTerms = searchTerms.trim(); // … code displaySearchResults(trimmedSearchTerms, results); function displaySearchResults(terms, results) { $(selector).append(terms); // XSS } Taints that are used by sinks without proper sanitization can lead to security vulnerabilities. Taint Analysis is a hard problem to resolve in Javascript due to its dynamic features (eval, variadic arguments, dynamic typing). This is an open avenue for additional Javascript tools.

14 Javascript Tools Parser: Esprima, Acorn. AST: ESTree.
Code Analyzer: ScanJS. Code Analyzer, take 2: ESLint.

15 Esprima Standard ECMAScript parser written in ECMAScript.
Supports ES6. Standard AST based on ESTree project. Heavily used, some examples: Code Minifier: esmangle Code Instrumentation: Instanbul ES6 to ES5 transpiler: esnext (uses Espree)

16 ESTree DEMO De facto standard AST specification.
Originated as part of SpiderMonkey’s Parser API. Lots of manipulation tools available. DEMO Short Demo of AST explorer Focus on the JSON format, describe the general aspects of the format A nice summary of ECMAScript AST Tools:

17 ScanJS DEMO Focused on client-side web applications.
Web UI, no command line tools makes it hard to integrate with build tools. Developed by Mozilla, unfortunately deprecated, but lives on as plugin for ESLint: eslint-config-scanjs. Short demo of the ScanJS UI and scan results. DEMO

18 ESLint Uses Espree (fork of Esprima) for parsing.
Pluggable architecture: All rules are plugins, more can be added at runtime. Different parsers can be used (Esprima, Espree or Babel are currently compatible). Language extensions specified at configuration. Global variables predefined through Environments. Integrates with editors, build systems, command line tools, and more! Talk about some of the integrations:

19 DEMO Demo of ESLint in a sample project using custom rules.

20 Q&A

21 Reference material Esprima: http://esprima.org/
ESTree spec: ESTools projects: ESLint: ESLint integrations: ScanJS ESLint Plugin: ScanJS ESLint Rules:

Download ppt "Javascript Static Code Analyzer"

Similar presentations

SYDJS July 2011. What is HaXe? Multi-platform language Open source (www.haxe.org) Community driven Version 2.07 (around since 2005) Single syntax for.

SYDJS July What is HaXe? Multi-platform language Open source ( Community driven Version 2.07 (around since 2005) Single syntax for.
Copyright © IBM Corp., 2007-2008. Introducing the new Web Tools JavaScript™ Features Phil Berkland IBM Software Group 9/26/2007.

Copyright © IBM Corp., Introducing the new Web Tools JavaScript™ Features Phil Berkland IBM Software Group 9/26/2007.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
SableCC SableCC is developed by professors and graduate students at McGill University and is open source (licensed under the Apache License, Version 2.0)‏

SableCC SableCC is developed by professors and graduate students at McGill University and is open source (licensed under the Apache License, Version 2.0)‏
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
North Shore.NET User Group Our Sponsors. North Shore.NET User Group Check out our new web site Next Meeting

North Shore.NET User Group Our Sponsors. North Shore.NET User Group Check out our new web site Next Meeting
Static Analysis for Dynamic Assessments Greg Patton | September 2014.

Static Analysis for Dynamic Assessments Greg Patton | September 2014.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.
UNIT4 BUSINESS ANALYTICS. page WHAT IS THE PRODUCT? 2 A business intelligence tool kit, specializing in Coporate Performance Management An application.

UNIT4 BUSINESS ANALYTICS. page WHAT IS THE PRODUCT? 2 A business intelligence tool kit, specializing in Coporate Performance Management An application.
© 2008 Zend Technologies; made available under the EPL v1.0 19 March 2008 PDT – The PHP Development Toolkit Assaf Almaz, PDT co-Project Leader Zend Technologies.

© 2008 Zend Technologies; made available under the EPL v March 2008 PDT – The PHP Development Toolkit Assaf Almaz, PDT co-Project Leader Zend Technologies.
JavaScript Demo Presented by … Jaisingh Sumit jain Sudhindra Taran Deep arora.

JavaScript Demo Presented by … Jaisingh Sumit jain Sudhindra Taran Deep arora.
ANTLR.

ANTLR.
ANTLR Andrew Pangborn & Zach Busser. ANTLR in a Nutshell ANother Tool for Language Recognition generates lexers generates parsers (and parse trees)‏ Java-based,

ANTLR Andrew Pangborn & Zach Busser. ANTLR in a Nutshell ANother Tool for Language Recognition generates lexers generates parsers (and parse trees)‏ Java-based,
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Title slide to be used at the start of a module. Developing Mobile Apps Roland Guijt

Title slide to be used at the start of a module. Developing Mobile Apps Roland Guijt
Invitation to Computer Science 5th Edition

Invitation to Computer Science 5th Edition
Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.
Approaches to Application Security – DSM

Approaches to Application Security – DSM

Similar presentations

Ads by Google