Performing JavaScript Static Analysis by Lewis Ardern

get started thank you for everyone who came I'm very glad some people are still interested in JavaScript so I'm happy you guys turned up so the talk is basically a high-level overview of provoke performing code review on JavaScript applications there's going to be you know some things around you know an introduction to JavaScript so that's first about me okay so I'm seeing a security consultant at synopsis formerly I was at Seattle but after we got acquired by synopsis so now work at synopsis I've roughly have about four years experience in the security space primarily looking at web application security I'm also a PhD candidate at the in spec at university looking into browser security and prior decisional I

was did a degree in leads during a did my BSC in ethical hacking I also founded the ethical hacking Society after seeing the success of allottees Society and I did a bit of software development and security consultancy as well so synopsis are primarily came from hardware so the whole concept was silicon software and so the software integrity group was introduced to basically try and tackle some of the software security problems and the team consists of a wide range of different organizations that are been acquired over the time which is like black duck which looks for things like privacy violations in third PI software Coverity is basically a static analysis tool that identifies security vulnerabilities code nomicon is for

things like fuzzing and looking at protocols digital was primarily a security consultancy and coda scope was our e-learning platform along with and some IDE integrations for helping developers write better code so today I'm going to talk about the JavaScript landscape and talk about JavaScript security issues I'll briefly go over static code analysis and the review methods and I'll also talk about the challenges that come when you're actually doing JavaScript code analysis I'll also talk about some tools and the way to automate tools and customizing certain tools to be extended to use for things like new frameworks so the JavaScript landscape I want to go from the beginning and we'll go to where apparently I am in the real world so

before we get into anything I'll kind of just show you if anyone is still which way does this go you go this way yeah so this is what the web used to look like I still sometimes come to this website because I love space jams so that's pretty good but yeah I mean the web was basically just a bunch of marquees and take one tags and a bit of stairs JPEGs so in the early let's just go back to my slides and in the early days there was this need for JavaScript there was this whole concept of e-commerce platforms who actually needed to you know retain state and have some kind of presence of a user so they

introduced things like cookies but javascript was introduced into the netscape navigator browser back in 1995 there was kind of like a a war between java applets but it was soon swiftly dead and over the time they kind of needed the standardized javascript so there's this whole concept of the echo script International Organization and they create standards for web stand they create kind of standardization things for web and JavaScript conforms to that standard you know many years ago the web was predominantly server based and if you take a look at application built back in the 2000 era you were mainly looking at a bit of HTML CSS and JavaScript on the client and then everything was basically done on the

server so you had new net PHP oh sorry PHP and so on which was basically doing everything for you and the client wasn't really a thing so the old view was that you just had to protect the server and of course we've seen things like cross-site scripting and so on where you actually need to look at the client-side as well so I had a couple of arguments with some of my colleagues around this quote but on the 2016 developer survey JavaScript was classed as the most commonly used programming language on earth so we've got developers who are in the full stack space writing fluent and come back encodes are now all utilizing javascript in some way and in the 2017

survey it essentially mentions for the last five years javascript is still number one in the most popular and used language I kind of don't want to make the joke but you know if you get in these summaries from Stack Overflow it kind of shows how much developers seem to have problems when they write in JavaScript so so when I think about full stack Java scripts you can kind of switch out the client for different kinds of interpretations but if anyone who knows me I'm a big angularjs fan so a lot of the core a lot of the presentation will kind of fall into that round today but not you know but full stack is basically you offer

like a low barrier of entry into writing client side and server side codes and this is because you know the client side can be angularjs or reacts or notes or ember or backbone j/s and the server could ultimately be something like the nodejs language with express j/s which is bolted on as a framework to use as a server and even the database is written in javascript so you know you've got this client-side code interacting with JavaScript on the server which is interacting with a JavaScript database which is quite interesting in many ways so that's I like to be reactive nice to react joke right there and the web is ultimately changing at like a very fast

speed you know developers are you know writing various frameworks to tackle certain problems and you know that when they are trying to take those certain problems they're introducing all these new wonderful weird features that people utilize and we don't really know if they come up security issues or not so frameworks like angular JS and react they come with some quite secure defaults by design and but there's a wonderful presentation while a blog post by gareth hayes from the ports wigger who basically talks about you know abusing javascript frameworks by bypassing XS mitigations and this is when you trust frameworks for example in this instance it was Marvel - I owe you had the ability to bypass well

introduced cross-site scripting because you were explicitly trusting this framework and from what I've seen this might not be true for all organizations and our teams tend to transition into different and prototypes at least to when they're building applications every couple of years at least between the two to three year mark and from what I've seen and some people may disagree automated security tools are very slow to adopt these frameworks like for example four or five is a you know automatic code scanning tool and only recently started to scan things like gem angularjs so I'm going to talk about some JavaScript security issues now and it's only three of them and then we'll jump into the code and code scanning

side of things so I have a few personal tips if anyone is kind of new to JavaScript or they haven't really started to look at frameworks and libraries you don't have to be proficient in each language you look at you know but if your team are specializing in a certain framework you kind of want to learn all those idioms understand how the framework works understanding all those kind of intricate paths can be allow you to actually read the code easier and that that's how I kind of pick it up so I normally build applications to kind of understand the concept of how the logical flow of the application works before you start looking at the entire

landscape of security issues in a framework you should try and pick you know one issue and learn it well first so understand every kind of you know the reason why it exists why it's a problem and then ultimately getting down to the bare groans bones on how to actually secure it and then it always keep documentation with this these issues that you identify because they're going to be a good reference to one you can show developers or to you can just use as a reference to I understand the security issues that you saw in the past and use tools but don't rely on them because there's many pitfalls with tools it only can identify things that it

wrote to find and you know there's lots of limitations and they're very noisy and sometimes using a trained eye can actually be quite beneficial when looking at an Java or any language or any framework in general well back light without so I'm going to cover three things today so the dynamic execution of JavaScript is generally covered by things that will make code scanning so I'm going to kind of show the way that we are in the world now when it comes to dynamic execution of JavaScript I'm also going to talk about a security issue that kind of talks about cross origin and this this issue in particular is often misunderstood by developers and security concerns but from what I've seen even

though the tools do you report the use of postmessage doesn't necessarily mean that developers have fixed the problem and then I'm briefly going to talk about client-side trust and this is what automated tools generally don't find because when you think about the client ultimately there's things like authorization which are done on the server but the tools don't know that you're implementing these things and like they only can identify actual implementation books rather than you know design flaws so when we think about JavaScript execution that normally you think about cross-site scripting on the browser now of course with the introduction to no js' that changes things which I'll talk about in a minute but you know there's multiple ways to do

cross-site scripting and one of them is basically when data falls inside an evaluation or dynamic expression and you know eval in many ways an exit script and set timeout are quite beautiful in many ways because these are generally what are used to bypass a lot of filters because you have things like you know you can do string concatenation without you know including notifications so that's quite you know quite fantastic in many ways you know the XX script function you know runs on the window object and it also allows execution of JavaScript as well so these are all things that are generally used by developers and you know you would use like a set timeout to

wait for a second if any sync call or a synchronous call hasn't finished yet those kind of things so when we think about dynamic execution of JavaScript we use just have the client-side code where you would call alert document.domain and it would all be concatenated string concatenation into one basically query but when you take a look at the server you know you know this is kind of where the worlds collides and we now have actually remote code execution for dynamic execution of JavaScript so I'm going to quickly show you a demo of what I'm trying to mean with this throw into the other screen if I camp ready go there we go okay so let's go back to the

beginning so first I'll show the use of an client-side execution so when you have like a user name and you're inserting someone else crypto like one and you're inserting a URL with our eval function which basically will do string concatenation and execute obviously when you click Submit and if datas explicitly trusted on a browser and you will actually execute and it will I'd be brought together and you execute your document dot domain and it will obviously alert bookmarks calm in this instance and as you can see like the data here is explicitly trusted so if we refresh the browser it's persisted and it's an issue but then when you actually take a look at the server and imagine

you're working with a node.js application now I'm gonna try and pause it for a second so we have like a clear temp function here which basically is taking a request and a response this then takes the request body of EBL ultimately eBay is assigned to the user input and then it's injected into an eval function and then that data is then returns so let's continue the example so because of this that youth their user input is going to be explicitly trusted and actually evaluated against the server the whole concept for this actually is oh now I've paused it down at the bomb all it's doing is reading the file sync and all it wants to do is

we try and retrieve like a log file so if we intersect with burp which means obviously this is a dynamic application and we're testing it in that way and then we then go to clear the logs all this is doing is calling that function which is meant to pull the logs out and as it as you can see there that but then obviously if you take a look at what we talked about before where you can start interact with the server due to this evaluation what you're actually going to than going get is and basically remote code execution by you know for example you call the file system so you know I want to read

the file sync and I want to make sure it returns to me which is why we call file sync and then we asked for the EDC passwords what we're actually going to get is you know code execution from the browser sorry from the server to the browser whenever it's a very slow down I'm sorry so as you can see you know now we've returned that there are the other side of things now let's close this off so I can go back to my oh yeah great so as you can see like world has definitely changed from you know the early days of 1995 to now where we now have you know execution of JavaScript on the server

and rather than the client so websites by default are and basically have to follow the same origin policy and this prevents attacker con talking to Gmail and retrieving the contents of Gmail and Facebook calm trying to ask for things from Gmail now window dot post message basically enables you to send messages to inform different windows and there's also other things like you know JSON P which allows you to do JavaScript callbacks and there was also things like cos that allow you to define what websites can return the content because any website can send a request doesn't necessarily mean they're going to get a response and this could happen in two instances where a page spawns a pop up

or you know an iframe of an embedded instance so if you take a look at this this example here we're correct to send a message just to a different server you create a window or normally would have that open window here then that target window would send the post message and you're sending a message to that server and this basically normally can define the origin but at this instance we're just ignoring it then the other website would set up an event listener with the with the message attribute and then basically when this gets sent to the other origin it will then basically console my dad and data and the event data is send message now the security vulnerability

here is that if you do not validate what origins can talk to your post message actually will allow you to retrieve that content or potentially communicate with it and from a different origin or attacker.com origin which allow you to execute and steal things and I'm going to show you how that works in a second so this is an example from when we reviewed a client-side code and they have a legacy application and what they wanted to do was actually go away and create a client's angularjs client site and they wanted to be able to share the configuration of that so they were using a post message as an iframe to actually then just retrieve that information so

they can capture their JSON web token which allowed them to communicate obviously JSON web tokens is just what a lot of that new applications tend to use for that therefore being authenticated so in this instance it says we have a get config and that's basically what gets sent by the user and all it's doing the current release see it from here but basically we're checking to see if that key is the configure I get sent and it's going to wrap this event data and then create the post message to send it back so it has an event listener waiting to receive the message and as long as this matches it's then going to return this

information back to the page as long as an event list is set up so to share this in context as an exploit all you're going to do is basically set up an event listener to receive the message back and then basically all I'm doing is alerting that event data they get slim back to me but I'm creating a set timeout with the run function of five milliseconds which is five seconds and then I'm calling post message on the window I want to execute and I'm basically sending get conflict so what this is going to do is going to send a request to the horrible server say give me the information and the answer is they're going to responded

back to me so now I'm going to show you another demo of this in action I'm enjoying the app I really enjoy thank you okay so now off we go back to the beginning again I'm going to talk through that again so as you can see we've got an event listener that is basically you know going to be listening for a response in and as you can see we've got the up configured get config so as long as that config is matching this get configuration it's going to return this data so obviously we need to pass that data as well to actually read it in the correct format so it takes the event data and then it checks it to see if it

actually matches and then it will wrap it in this event data and then return the data to us so in a second I'm about to show the exploit and share the same steps so let's say we've got the set timeout and it runs in five seconds and we're basically calling the post message of get config opening obviously sending it to the vulnerable window and again we're ignoring this because it when it's a wild card it's just ignored but as you can see well now that when I'll go back to it but basically the reason why this comes back to the user is because they choose the target origin to come back so the event origin so

whatever made the request they chose the event origin to come back so as you can see if we choose attacker.com and send it to the vulnerable page that opens the window and if we go back to that page it's going to give us back to JSON web token after five seconds so in the application this actually gave the full JWT not just the string token so the way to fix this would actually be to validate the origins that you trust so you would first just include the event origin and if it's coming from a website that we trust then if it's not coming from a web site that we're going to just return and if it is this origin then it's gonna

execute everything else so we try that payload again it's not going to work so kimitaka calm after five seconds it won't execute anymore because it's being rejected because it's not a valid origin to talk to the application so then if we go to at example.com because it's validated and the same thing happens it will return back the data that we need and this is obviously what you want to try chief okay so yeah what I meant here is basically go back to here so in the post message we're returning back to the event we want to send it to so rather than having the wild card so a common you know issue with web applications is

client-side trust and you know when developers create applications they often think that javascript is running on the client and the client isn't you know knowing that the interpretation is that actually attackers can't access this and you know there's a lot of wrong assumptions that you know based on the client is not accessible and it went data submitted by the client you know it's controlled by the server-side but in fact data that is stored on the client is definitely accessible by attackers if you think about things like cross-site scripting your actions performed on a client are fully can be fully controlled by attackers through things like XML HTTP or creating like a form to send a request via the

application and you know other things like capturing like the local storage or the copy and so on and it's some important things to think about as well as you know HTML storage persists and you shouldn't save them from sensitive information and things like and cached packages or form data or cookies and you also should only use session storage because when you close the browser it basically clears everything out of the session storage and that doesn't happen for local storage and I've left a nice little blog from someone that I like to dig I'm loving it because what actually happened was there was an angularjs application and they found a way to basically do client-side cross-site

scripting and what actually then happened was they were doing password encryption on the client and they were able to use cross-site scripting to then I know it was using the same key so you're basically able to decrypt it and obviously you shouldn't be using the encryption anyway and then you could then use the cross-site scripting to send the password to you so if anyone wants to take a look at that I would highly recommend it so and then there's one more thing so when you start to look at and JavaScript client-side applications like I like to look at angularjs and there's two things that point out to me here when you see like things that ng show or ng hides

these are client-side checks they're basically JavaScript boolean checks to see how do I fulfilled this and have I fulfilled this and with angularjs there's also client-side routing so ultimately when you try and go to forward slash users as someone who's logged in if this isn't met that JavaScript won't allow you but it's all on the client-side it can all be tampered with and there's a lot of push from the server to the client and ultimately what happens is a lot of people now don't actually add those server-side checks and this is all they tend to use and it's I've done a lot of code reviews and I would say they do it right for most instances but there have

been quite a few occasions where they've only relied on the client and you've been able to you know gain a higher level of privilege due to this so now I want to talk quickly about static code analysis and review methods so let's talk about the concept of walking the tree so when we think about manual code review or doing code review in general it's quite a boring process there's sometimes millions and millions of lines of code to look at maybe not in the JavaScript sense but definitely in legacy applications and the whole term of static analysis is to basically automate the process of using code review so and it's normally carried out in the implementation phase of the software

development life cycle and basically this just means the code level so if we take a look at this diagram when you're building an application you normally have an S DLC and you normally start with requirements and use cases and you go into architecture and design and then you're go into test cases and autumn utley then you get to your codes when the actual implementation phase happens and this is where normally you would try and utilize tools or perform code audits from from in external perspective and that's also texture you know identify security vulnerabilities that were introduced due to coding errors and security vulnerabilities that were you know ultimately introduced and maliciously in the source codes now I don't want to go

into too much detail about the underlying process of generally how things will come into the path of actually static in a static analysis but and this is more like from an interpreter sense as well so normally you start with source codes and if you just have source codes it's just numbers to a machine so normally they go through this process of they build tokens and these tokens are basically just breakdown points of each defect so like var would be var and when you go into the token sense you also need to take in a lot of things into consideration like does whitespace matter because in JavaScript it doesn't but if you're looking at things like Python certain

matters so there's whole concept of lexical analysis is taking those Toto cones and basically converting it into more readable speech and then data is then passed and there's also things which are taken in to consider considered there as well which is basically are things like you know characters allowed in variable names or are there reserved words or their decimal literals or string literals and so on and then ultimately you get to the semantics of each language so each language comes with its own unique properties and those things need to be taken into consideration but then what we really care about is ignore all of that is basically the abstract syntax tree so this is generally what code

review tools or linters or style things stuff like styles basically used to basically and walk and identify issues in so I'll briefly show you a example of this so if we go to the ast Explorer see where opens so so we take a look at this and we just decide that we want to use JavaScript with the let's just say babel err slim parser when you take a look at code and you do bar X you know equal by x equals foo this alternate means there's a variable declaration with a call expression so an ast is our specific to each language so this doesn't really change unless like new things come into the framework so if we take a look at

this side as you can see we've got our variable declaration now of X and then ultimately further on down the chain there's a call expression and the call expression is just something that has a curly brace or so on so when you start to be able to read these trees and walk the tree in sense you can actually start to like look for security issues or in a sense code quality issues okay so I'm gonna go in a bit more detail about you know using n ast to basically pass codes in a little bit but I would highly recommend taking a look at these resources if you're interested in this area the first video is very good and it

basically talks about how to build a programming language from scratch the interpreter book is very good about the way your interpreter and language obviously the ast Explorer is very good a sense of understanding how an ast is and how you can pass it or things you might require and then there's also this resource which basically visualizes a STS and gives you a representation so there's a lot of challenges when it comes to JavaScript static analysis and the first one which is always interesting is that everything in JavaScript is an object and you know because of this and it's a prototypical language in basically everything it's a dynamic language and everything generally is processed at runtime so

every javascript object has a prototype object which can be overwritten so if you're trying to do static analysis you actually have to keep track of these changes so if we take a look at this example we have a person and it basically takes in the name and it assigns that name to a variable then I create a new user really a new person called Luis and I call it person 1 but then overwrite the property of two straight and now this two string is basically just returning the name so it's actually doing something different than what it was intended to do so it's returned the name rather than just returning while we possibly would still

return the function but you could overwrite those properties then variables can JavaScript could also contain different types so you know most languages like Java or like sounds two more languages you normally define things like string or an int and so on but everything in JavaScript like a variable can be of types for its string or I'll type thereof an integer or numbers in this sense so what this is doing is basically one we're making sure something is a billion to true and if that boolean is true then we reciting this literal string to the variable else then you know we're signing the variable to 69 and that's probably the only time I'll ever get like a joke without any so

we're on so and more wonderful things about JavaScript is though as type coercion so normally when you're you know making sure something is up of something you are doing like a double equals or a triple equals like an exact match or and they have that concept of loosely versus strictly typed so what basically type coercion is is converting an object to a different type and it's checking to see if the value inside matches so when we look at like force equals to double equals to one it's false but then if you look at false double equals to zero it's true which is a bit weird to see now obviously if you're doing it like strictly it's then

actually only like looking to see if this would actually be false so this is also something needs to be taken into consideration and there's actually now with the introduction of nodejs there's been a lot of security issues around this where about you might equal to null in some consensus because of type coercion yeah and that there was an issue with sort of socket IO which is like due to WebSockets and it was a broken implementation of their certificates for SSL so it was just allowing anything because it was no one is that yep fine but it would have didn't actually fixed with that javascript even has higher-order functions so you need to kick take this into consideration where one

function can call it never functions so in this instance we have basically a person which takes the value and the value is set to value or you can call the get and set function which calls and never function which one I'll just return the value or one which will set the value so in this case you know recreate two people one which is Luis in 69 the second one where you know getting the first output and in the second output and then we're changing that value again to Jason and getting you know the output again for Jason and these are also things that when you're looking at codes they can become quite complex from a code analysis perspective

and JavaScript by default is quite forgiving there's you know basically you can have broken codes you can have var equals x and never actually use it or you can have x equals y as long as it's not a strict strict mode then it's perfectly fine so what actually developers introduced was this concept of you know strongly typed JavaScript and you know strongly typed JavaScript equals less books and it's true so rather than just having something of a type which could be an integer or it could be a string you actually can create interfaces where you can define the name of string the age of number and if that person's are life to a boolean and then you can assign that and set it

here and if this was actually trying to be an integer it would complain and say actually no that's wrong and it would complain and it stops a lot of those issues happening by default and you know JavaScript is universal in many ways it's in Internet of Things it's on the server it's on the browser and you know a lot of people want to be able to create you know unique you know solutions to problems and they kind of have to sometimes convert it into JavaScript for it to be adopted and used so there's things like you know GWT for Java the typescript sorry java to java javascript typescript which is like type least strongly typed javascript to

javascript there's also things like pi scripts to price it into javascript and fun scripts F sharp to JavaScript and there's more there's a lot more and what we're trying to starting to see is that and there's quite low support when it comes to automated code scanning tool to actually support these languages because there's really no need to sense because you're basically happen to transpile that code to JavaScript for it to be interpreted anyway in the browser or on the server so I in a real world scenario security issues can still be found when you're writing in these languages but you would have to identify it in the JavaScript code and then basically map it back to that strongly

typed language and sorry new features such as es6 the eight seven seven eight you know also require updates to the static analysis process so for things like arrow functions a previous tool wouldn't have known that that might have been a function just sees it as an arrow so these things need to be taken into consideration so now I'm going to talk about a concept of dataflow analysis so it's following the data through source to sink and see if at any point where that is tainted so hopefully everyone will be able to see my code and it's going to be interesting to try and do this and explain it from this side right so hopefully everyone can see this but

we have a simple nodejs application that is basically doing the very similar thing that we saw in the example today and as you can see we've got a basically a gap function that takes in check logs and we have the request and the response so when you're doing dataflow analysis you would want to look at C like okay when data comes in is when we copy from the request and we want to see if any data then this taken from user input for example or a downstream and upstream system and then we want to see that okay that actually requests query of eval is there the sets of user input and then that user input is only valuated so as

you can see here this is going from a source and interest sink and ultimately all this is doing is exactly the same concept as before but basically calling get logs on the file system so if we see this in practice if I can get my browser to pull over

yeah so we have this limits all it's doing is called chat logs so and obviously again because we know like the source falls into a sink what we can actually do is basically do the same thing we did before where now I'm trying to find a secret value of a cert on my application we're sorry I mean we're doing exactly the same thing we're basically trained a variable called var in a file system require the file system then we're basically creating a path to that attribute you want to pull off the server and then it's occurring it out could have some O'War if that's okay it's like I will see the actual secure way of doing things when you're

reviewing codes is to look at the requests in the response and basically rather them directly in adding that information into an eval function is to basically just call those functions directly so in this sense we're checking that user input matches something that we want to actually go away in access and if it doesn't match that then it basically says we have a problem so now I'm going to show you another example which means I stay here now this is a JavaScript application yes and we have a very similar concept where JavaScript has this idea of scopes and when scopes are defined they're things that are accessible in the view so if we take a look at this application all it's really

doing is defining an object of friends deciding those names and phone numbers to properties and then in the client we're calling an NG repeat function of those friends and we're ordering by a certain power you now when you start to look at these frameworks and understand areas of concern like in this sense whenever you see a pipe operator in an NG repeat you can see that the order by will actually be evaluating those expressions so if user input from this user input from an interested source falls into this order by function here then it's a problem so if we take a look at what this is actually doing it's assigning order by by default to be

phone then it's calling if the window location search exists which in this case if you're including a window it's going to exist and then all it's doing is splitting the value and it's taking the first attribute well this well the second attribute so it would be taking whatever the value was and now is so and as you can see this is coming from user input because the window location and we're splitting it by a wet user input it's not going to be assigned to the order by which then falls into a source of taint when it falls into the order by filter so if you take a look at this in practice okay so you know first we could

order by a name like phone and what it normally does so you can also you know order by age and we can also order by no number and it's nice goods but then you know it comes a problem if you then use a JavaScript evaluation as a call in the constructor of the function can oh I did it on my other side we then call a constructor with function constructor and then call alert it's going to actually be allowed to evaluate into JavaScript so that might seem a bit confusing but all we're really doing is following source and sink into taint and then identifying the security issue so if we go back to the curb you can take a

look at a secure example of this and it's doing the pursuing basically the exactly the same thing taking source but it's first validating that through strict input to make sure that it matches the properties of friends so basically if the friends are not been defined and then it's looking to see if it has the property of the friends inside order by so if it doesn't match age name or phone number then ignore it so if we try to then execute the code would match to work anymore so you would want to be able to try and traverse the application in this way to see if these things are actually a problem and I don't know if there's any

commercial tool currently that's finding these kind of problems that you know fortified enough supports now support angularjs but it depends how smart overalls are which probably are very smart so there's also like a concept of there may be support for it but it doesn't necessarily mean they actually have security rules so and maybe it maybe it's code quality maybe it's in the sense of security as well but maybe less of a concern so I do have a small disclaimer I do work for one of these companies but I'm going to ignore them from the list because I want you to choose what works for you so you've got some commercial products that basically do perform JavaScript ace analysis so it

will go from source to sink and try and see if any data is painted and there's a wide range of tools and the tools that I'm going to go more into detail today are basically the tools to look for areas of interest and mainly because these are open source sorry and basically there's lots of they basically will point out things like semantic analysis and semantic analysis is a simple concept of you have values and those values might be classed as dangerous so dollars dollar eval in angularjs is classed as as dangerous so you want to look for that point of interest so i there's if you're if you're a pen tester you already have some of these available through like

things like the burke passive scanner there's also a scanned yes but it's deprecated there's also jsn and jasmine which is still actively worked on but today i'm gonna talk about the es limit in a little while after I go through the rest of the tools there's also a tool so like for example if you're building applications or working with development teams there's a lot of security issues that can actually happen in products that have already been created like angularjs you know react or even these things on NPM that you actively down download because they look cool so tools like retired retired a s n SP and snick will I'll try and identify and known security issues in

probably patched packages of light on it on NPM and then there's basically tools that the obfuscated and optimized JavaScript so the reason why I talk about closure closure compiler is an optimizer but when you're looking at the obfuscated codes you want to get to the point where you can remove the things you don't want to look at so what closure compiler will do will basically optimize dead code and get rid of it and that's quite good when you're looking at lots of code that you know get rid of the stuff that doesn't make any sense or is not needed and get rid of it and is still areas only got released a couple of days ago by minded security and what

it does is partial evaluations so impartial evaluation is basically the concept of and partly executing the code to see the resource and it does know there's a thing called mind I don't mind I think the project's called and it's just basically brackets and pluses and exclamation points and j/s Tillery will actually identify what that produces and other tools can't do that as always Jesus JEP Jess okay sorry I'm sorry for the profanity and so Ashlyn has slowly became my favorite go-to tool and many of the developers as well and basically it's an inter and what linters do we'll go through an AST and basically look for a co quality and security issues and basically it was allowed

developers to create enforce rules on our software and a lot of developers will actually allow that code to go out to production until most of their coding not the security ones don't get flagged it's more about the code quality issues and making sure the style looks nice and basically there's also it integrates into the CI CD pipeline which is quite nice I'm not sure about like I know it definitely works with git hooks so you can you know it's just a command line tool you can execute it and if any warnings pop up it's going to get black doers no and it also allows custom rules for you know specific domains and because from what I could see this is

extremely popular right now this was the state of je s from 2017 and he basically said that it was used and roughly between two and three times more to any of the other linting tools is completely customizable you can create your own rules and the reason why I'm quite happy with this is because I do a lot of code review when it comes to JavaScript and yes lint can be used by security consultants to basically identify points of interest very quickly so whenever you're starting a new project there's basically these security conflicts that you can use which are like on ES Lin RCS and ultimately there's support for nodejs vanilla jeaious and what i'll talk to you today

is about the rules I created for angularjs there's also react and there's a list of security rules like what we talked about before with the post message there's one which basically says you can't happen the wild card you have to define the origin and that's quite good when it comes to actually sending data back to clients and there's also things like you know no snow n Save in an age t ml so that's when you're assigning attributes to the innerhtml and that means when it's represented in the Dom it's actually going to be treated as HTML and that's quite bad so you know when you're creating your own rules like you know you have to have a

problem and you want to have it be able to make a solution so you know every angular pentest I had I had to basically go through ok what I've done in the past what have I looked for and basically try and reproduce that again so what I did was I went through a lot of the issues that we've found for research and through pen testing and and created a list of a bunch of es link rules that will identify problem locations and you know the current rules I've created are really just to be used as a point of interest but I want to make them more useful for developers as well and it will identify things like security

misconfigurations where SCE providers disabled and mine that's disabled and you basically got process scripting throughout most your angular app and you've also got like expression injection so when data goes into an expression it can be evaluated into JavaScript and there's also because of the client-side routing aspects there's also things like you know client side open redirection and of course on the roadmap there's more rules there's angular term for support which obviously the framework was completely rewritten and I want to be able to identify the maintain maintain enough state of like variable declare so we can actually have some kind of smart taste analysis so these are the steps that I would generally recommend on creating a rule you want to create a

test with a tree positive and a false positive so something that should pass the test and something that shouldn't but it'll be simple and you then want to walk the JavaScript ast and identify your requirements and you can create the rule from ast output and then basically make sure the test passes so this is how you create a test in es limp ultimately and require the rule that you want to test for so in this sense it was basically making sure SC is disabled or not but if it is disabled report it as an issue you import you know es lint rule tester and then you basically create a ballot code this should pass because it doesn't do anything

you know if it's unable to true that's good and by default it's automatically on so I should never really be there anyway and then basically if it's disabled you know to off I actually want to flag it as a warning and the way you would represent that is by identifying your requirements and this is using the visualize visualization tool that I showed earlier and basically when you take a look at what this actually attributes is is there's a member expression and a member expression is just two values that are parent and a child so you have you know your SC provider and enable it and then to be able to them to jump out and look at the

arguments you'd have to go to the call expression that gets called so you'd have to go back up to the parent nodes and take a look at the arguments to see if it's set to false so this is the rule that's making in is relatively simple so you call your member expression and basically you're making this see if the object name is set to SC provider and if it's enabled and then I'm accessing the parent and grabbing the arguments or the first argument because there's in the sense it's never normally one you know what more than one and then we're saying if it says to false and if it is then it very complains so I'm going to give a

quick demo on es loop and then we're done with the presentation so it's fine the code again okay so this is the conflict that I've created that is publicly available online and all it's doing is basically using the rules I want to look for so some of these I've already so there's let's take a look at dem ojs demo J s is basically just jQuery and I've kind of for a couple of minority areas of interest in the code base it's quite a big code base and you know it has like a lot of different functions and it passes it relatively simply so now if we go to that I can find it is it this one no

yeah okay so and we want to use that against the code base well I can't see it okay okay let's so I tried to zoom in to make it more viewable okay so I mean it's very difficult to see now but basically we're calling it yes lint we've basically saying we don't want to provide a config and I give my own profile which is the ERC and we're spending that code project so if now if I just run with my rule set now it's obviously it's flagged the compiled dangerous version on line 16 it's complied the SCO stares and it's also on like line nine thousand 386 the SCBA is also set to false so and this is

basically a great way when you're starting to do code review to basically points out areas of interest now obviously going if you change a value from SC provider is now X it's not going to find out any more so which is why there's a limitations right now but ultimately I want to get to the point where there's more smarts and tactical ways of doing it okay so in summary javascript is weird and wonderful language you know when you're looking at issues I try and learn one issue very well than trying to learn them all in one go and you do have to be concerned of JavaScript not just on the client-side and on the server but understanding like

the underlying static analysis process can actually help you identify issues quickly quickly and obviously use these tools but don't rely on them because as I mentioned before there's lots of limitations there's you know false negatives where it just doesn't the issue is this false positives there's also you know true findings that it will find but do not rely on them you know make sure you're also doing you know you're doing your checks and balances and making sure you look in the manual presents so that's the end the presentation okay so the question was about fatigue and when you're giving developers rules to use but then complaining about things are triple equals because it's not allowed anymore

but they need it for double equals and it's not allowed anymore they need it for certain options operations I think the answer is that you kind of need to just come to our middle ground and if that rule is in particularly a problem then disable it in the rule pack but then you would have to do some extra verifications like from the security team would have to be aware of those risks and then actually perform some manual analysis against the new code base at shipping to see if they actually is a problem it's obviously if it's no longer in the rules and they don't it's not being flagged it's gonna be it could be a risk and it's one of those

things but you know obviously the configurations are customizable so you can they can the developers can disable them if they need to which is scary but but you know it offers flexibility and but there are a lot of edge cases and problems with that yeah that's for sure but I don't know the answer I think just having to work with the development teams and trying to you know identify a middle ground and just going mmm okay where we can take off that rule for now and then maybe work on like critical applications for example if there's like you know the payment systems for example of your applications they have to follow those rules but maybe the client-side

code is something that you know for a different application there's a level a lower level of risk then maybe that's okay but obviously may impact productivity which is the only concern as well any other questions I haven't tried it I don't know the answer but I mean obviously when I'm looking at minified codes I will run rules against them but because because obviously it's changing the values normally to like you know small of attributes it won't pick up the static rules so you would ever have to like if you're doing like a pen test room for an organization you'd go can you please give me the full source code and they go no and you go okay so

then you would basically start to just have to manually investigate the code and use things like jst Larry or and you know close your compiler to try and get rid of code you don't need and then manually look at it and then if you can actually start to identify patterns you can probably change the code back into what it was and then read them the rules but bad-mouths you've defeated the purpose of the rules in the first place but yeah that that's I think it's you know definitely problematic unless you can write some very smart holes to be able to do things like you know following the state so when a new variable declaration happens and it's

about you that you know could be dangerous you have to tried that all the way through the application but that's probably going to be quite memory intensive and very problematic so do you have any recommendations with tools or doing runtime or dynamic analysis particularly around tracking the lifetime of tainted variables so the question was around the lifetime of tracking variables for like potential sources at ng meme around actually debugging dynamic code or you mean actually whether you've identified there's a problem and how long has been around for taking my user data from like location to search and tracking those things at runtime dynamically to see when they hits syncs like so there are like tools like there's there was one

called Dom Dominator but it changed its name to new closure detect and it basically is kind of like a brute force for those kind of attributes so new Hydra to detect will basically just brute force like identified known sources and known syncs and just hammer them away until they execute something and it's you know it's I don't know if that improved of also or if they've changed the way they do it but that was one way to do it there's also one way to do it you know adding debugs debugger like kind of captions into code and just stepping through it to see you know what happens and obviously you know glorified greps always help so and I think that's

probably the best way to do it from you know the way I would do it anyway I don't I'm sure there's probably smarter ways yeah I would wreck the probably reach out to a guy called live overflow and he has lots of amazing YouTube videos around kind of like identifying things like pop under there are things where he's basically debugging the code finding how all these things work I'm sure he has a better explanation for those kind of things yeah any other questions look okay well thank you for attending hopefully it was helpful and I will put me put in the slides up in the next ten minutes so if you want or what you like

look at them again and get all the links and stuff in the presentation there I'll be on my slide deck not to eat out [Applause]