Javascript Static Code Analyzer

Javascript Static Code Analyzer Héctor Quartino [email protected]

About me • 10+ years of developer experience. • Multiple
languages / technologies (Java, C#, JS). • Curious about Security for a while. • AppSec Engineer @ NetSuite.

About this talk • Motivation. • A bit of theory
on the concepts behind static code analyzers. • Related Javascript tools.

Static Code Analysis – What & Why? • Runs on
source code (white-box testing). • Can use project specific rules. • Can be automated. • Highly effective with specific patterns. • Early detection of potential issues.

Why analyze Javascript code? • Scripting language of the Web.
– Web Applications vs. Native Apps on mobile. • JavaScript Server Applications – Rhino – NodeJS • IoT – Embedded Devices – Home Automation – Robotics – DIY

Why a Javascript Static Code Analyzer? • Scenario of 100%
Javascript Applications is more common. • Testing infrastructure in Javascript too! • Goal: One language can give more flexibility to teams. • Goal: Run static code analysis on CI / nightly builds. • Goal: Leverage existing tools available in the Javascript community.

Static Code Analysis Limitations • False positives – Need a
way to filter successive scan results. • False negatives – Some vulnerabilities need to be discovered via dynamic code analysis. – Unaware of custom APIs, cross layer vulnerabilities, or configuration files. – Add custom rules to mitigate.

A few compiler concepts • Compiler: transforms code from one
language to another. Lexer Parser Optimizer Generator Token s AST IR Output Input

A few compiler concepts • Compiler: transforms code from one
language to another. Lexer Parser Optimizer Generator Token s AST IR Output Input Used by Static Analysis

A few compiler concepts (cont.) • Lexer: transforms code into
tokens. Lexer Token s Input var foo = bar; Type Value Keyword var Identifier foo Punctuator = Identifier bar Punctuator ; Lexical Grammar

A few compiler concepts (cont.) • Parser: transforms tokens into
AST. • Abstract Syntax Tree: represents program structure. Parser Token s AST Type Value Keyword var Identifier foo Punctuator = Identifier bar Punctuator ; VariableDeclaration bar foo Syntactic Grammar

A few Static Code Analyzer techniques • Data Flow Analysis
– Collect dynamic information about data by analyzing static information. – Determine the Control Flows for a given program. if (a > 1) { pathA(a); } else { pathB(1); } if path A path B end- if

A few Static Code Analyzer techniques • Taint Analysis: Trace
variables from user inputs (taints) to potentially vulnerable functions (sinks). var searchTerms = $(‘q’).val(); var trimmedSearchTerms = searchTerms.trim(); // … code displaySearchResults(trimmedSearchTerms, results); function displaySearchResults(terms, results) { $(selector).append(terms); // XSS }

Javascript Tools • Parser: Esprima, Acorn. • AST: ESTree. •
Code Analyzer: ScanJS. • Code Analyzer, take 2: ESLint.

Esprima • Standard ECMAScript parser written in ECMAScript. – Supports
ES6. – Standard AST based on ESTree project. – Heavily used, some examples: • Code Minifier: esmangle • Code Instrumentation: Instanbul • ES6 to ES5 transpiler: esnext (uses Espree)

ESTree • De facto standard AST specification. • Originated as
part of SpiderMonkey’s Parser API. • Lots of manipulation tools available. DEMO

ScanJS • Focused on client-side web applications. • Web UI,
no command line tools makes it hard to integrate with build tools. • Developed by Mozilla, unfortunately deprecated, but lives on as plugin for ESLint: eslint-config-scanjs. DEMO

ESLint • Uses Espree (fork of Esprima) for parsing. •
Pluggable architecture: – All rules are plugins, more can be added at runtime. – Different parsers can be used (Esprima, Espree or Babel are currently compatible). – Language extensions specified at configuration. – Global variables predefined through Environments. • Integrates with editors, build systems, command line tools, and more!

Reference material • Esprima: http://esprima.org/ • ESTree spec: https://github.com/estree/estree/blob/master/spec.md •
ESTools projects: https://github.com/estools • ESLint: http://eslint.org/ • ESLint integrations: http://eslint.org/docs/user-guide/integrations • ScanJS ESLint Plugin: https://github.com/mozfreddyb/eslint-config-scanjs • ScanJS ESLint Rules: https://github.com/mozfreddyb/eslint-plugin-scanjs-rules

Javascript Static Code Analyzer

Javascript Static Code Analyzer

cphoton

More Decks by cphoton

Other Decks in Technology

Featured

Transcript

Javascript Static Code Analyzer Héctor Quartino [email protected]

About me • 10+ years of developer experience. • Multiple

About this talk • Motivation. • A bit of theory

Static Code Analysis – What & Why? • Runs on

Why analyze Javascript code? • Scripting language of the Web.

Why a Javascript Static Code Analyzer? • Scenario of 100%

Static Code Analysis Limitations • False positives – Need a

A few compiler concepts • Compiler: transforms code from one

A few compiler concepts • Compiler: transforms code from one

A few compiler concepts (cont.) • Lexer: transforms code into

A few compiler concepts (cont.) • Parser: transforms tokens into

A few Static Code Analyzer techniques • Data Flow Analysis

A few Static Code Analyzer techniques • Taint Analysis: Trace

Javascript Tools • Parser: Esprima, Acorn. • AST: ESTree. •

Esprima • Standard ECMAScript parser written in ECMAScript. – Supports

ESTree • De facto standard AST specification. • Originated as

ScanJS • Focused on client-side web applications. • Web UI,

ESLint • Uses Espree (fork of Esprima) for parsing. •

DEMO

Q&A

Reference material • Esprima: http://esprima.org/ • ESTree spec: https://github.com/estree/estree/blob/master/spec.md •