JavaScript Security

What Is JavaScript?

JavaScript is a high-level, interpreted programming language that has been widely used since its release in 1995. JavaScript is currently the world’s 11th most popular programming language. JavaScript is commonly used in dynamic web pages to provide extended functionalities such as form submission/validation, interactivity, animations, user activity tracking and more. In order to do this, a JavaScript function is embedded in an HTML page, where it can interact with that page’s Document Object Model (DOM) to perform specific functions. JavaScript is not to be confused with the Java programming language – the languages are both object-oriented, have C-like syntaxes and share several names and naming conventions, but are otherwise not related. In addition to its use in web browser applications, Javascript is increasingly used in mobile applications, via cross-platform development tools like Titanium and PhoneGap, and in server-side code via frameworks like Node.js.

Secure Coding Handbook

Get the Handbook

JavaScript Security

Since its release, there have been several JavaScript security issues that have gained widespread attention. For one, the way JavaScript interacts with the DOM poses a risk for end users by enabling malicious actors to deliver scripts over the web and run them on client computers. There are two measures that can be taken to contain this JavaScript security risk. First is sandboxing, or running scripts separately so that they can only access certain resources and perform specific tasks. The second measure is implementing the same origin policy, which prevents scripts from one site from accessing data that is used by scripts from other sites. Many JavaScript security vulnerabilities are the result of browser authors failing to take these measures to contain DOM-based JavaScript security risks.

 

Common JavaScript Security Vulnerabilities

One of the most common JavaScript security vulnerabilities is Cross-Site Scripting (XSS). Cross-Site Scripting vulnerabilities enable attackers to manipulate websites to return malicious scripts to visitors. These malicious scripts then execute on the client side in a manner determined by the attacker. XSS vulnerabilities can exist when browser or application authors fail to implement the same origin policy and can be prevented by following correct development techniques. If XSS vulnerabilities aren’t remediated, they can result in user data theft, account tampering, malware spreading or remote control over a user’s browser.

Another common JavaScript security vulnerability is Cross-Site Request Forgery (CSRF). Cross-Site Request Forgery vulnerabilities allow attackers to manipulate victims’ browsers to take unintended actions on other sites. This is possible when target sites authenticate requests solely using cookies and attackers are able to send requests carrying users’ cookies. This JavaScript security issue can lead to account tampering, data theft, fraud and more. Both Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities exist in the application layer and require that correct development techniques are followed in order to be avoided.

There are a variety of other common JavaScript security issues that can increase risks for users. These issues include improper client-server trust relationships, vulnerabilities in browser and browser plugin code, and incorrect implementation of sandboxing or same origin policy. And for Node.js-based server side applications, there may be many other security vulnerabilities, including SQL Injection, Command Injection, and others. The only way for organizations to avoid these JavaScript security risks is to develop and source applications that are free of JavaScript security vulnerabilities. Many organizations use JavaScript security analyzers to test for and remediate these vulnerabilities.

JavaScript Security Analyzers

JavaScript security analyzers are JavaScript security tools that perform code analysis on client-side applications. These analyzers can typically test for JavaScript security vulnerabilities, issues in implementation, configuration errors and other risks that can be exploited by attackers. The Veracode platform provides JavaScript security analysis through its automated cloud-based service. Veracode assesses web applications and client-side technologies in a running environment in order to discover JavaScript security vulnerabilities and other issues.