How to check if your JavaScript code is unsafe?

More than 50,000 professional developers use JavaScript as their programming language of choice by 2022, with RedMonk reporting that 98% of the world’s tags and projects on Stack Overflow and GitHub, respectively, have JS. And rightly so, JavaScript is an amazing text-based programming language used both on the client-side and server-side that allows devs to make web pages interactive.

However, JavaScript is not perfect and it is an important step to check whether your code is vulnerable to risks such as cross-site scripting (XSS) or broken access controls before proceeding with your code.

The best way to start securing your applications is to use some useful security tips and a scanning tool.

Javascript security tips to reduce risk

  • Avoid eval(): Do not use this command in code, as it only executes the passed argument if it is a JavaScript expression. This means that if the hacker is successful in manipulating the input value, he will be able to run any script he wants. Instead, choose an alternative that is more secure.
  • Encrypt: Use HTTPS/SSL to encrypt the data exchanged between the client and the server.
  • Set secure cookies: To ensure that SSL/HTTPS is in use, set your cookies as “secure”, which limits your application’s use of cookies to secure web pages only.
  • Set API access keys: Assign different tokens for each end user. If these tokens do not match, access may be denied or revoked.
  • Use safe methods of DOM manipulation: Methods like innerHTML are powerful and potentially dangerous, because they don’t delimit or escape/encode the values ‚Äč‚Äčthat are passed to them. Instead the use of a method like innerText lies in escaping potentially hazardous material. This is particularly useful in preventing DOM-based XSS attacks. -snicko

So, what can developers do right now?

One of the most immediate things you can do as an individual developer is to check if your source code is vulnerable and how to determine which piece of information is important using a good scanning tool.

Start by using the free SAST tool to scan your application for unsafe JavaScript code like Contrast by GitHub CodeQL, Snyk, SonarQube, or CodeSec Which are easy to install and provide an immediate list of unsafe source code that needs to be updated at no cost.

In the case of CodeSec it not only provides a simple integration into GitHub with a free GitHub Action. But it is very easy to install the process in homebrew, npm or directly in the binary.

Ultimately, the goal here is to use a tool that will start scanning your JavaScript projects for vulnerabilities and tell you if it’s vulnerable and what line of code needs to be fixed to fix it.

closing thoughts

I encourage everyone to install and try scanning one of these tools today. Security isn’t going anywhere and familiarizing yourself with what Security Insight looks like will be an advantage in the long run.

Free SAST Tools:

  1. CodeSec by Contrast
  2. snicko
  3. CodeQL
  4. sonarcube

Leave a Comment