How to see if your JavaScript code is vulnerable?

As of 2022 more than 50,000 professional developers, use JavaScript as their programming language of choice, with RedMonk reporting that 98% of the worlds tags and projects in Stack Overflow and GitHub, respectively has JS. And rightly so, JavaScript is an amazing text-based programming language used both on client-side and server-side that allows devs to make web pages interactive.

However, JavaScript is not perfect and checking to see if your code is vulnerable to risks like cross-site scripting (XSS) or broken access control are a critical step, before pushing your code.

The best way to start securing your applications is through some helpful security tips and the use of a scanning tool.

JavaScript security tips to reduce risk

• Avoid eval(): Dont utilize this command in code, since it simply executes passed argument if it is a JavaScript expression. This means if the hacker succeeds in manipulating input value, he or she will be able to run any script she wants. Instead, opt for alternative options that are more secure.
• Encrypt: Use HTTPS/SSL to encrypt data exchanged between client and the server.
• Set secure cookies: To ensure SSL/HTTPS is in use, set your cookies as secure, which limits the use of your applications cookies to only secure web pages.
• Set API access keys: Assign individual tokens for each end user. If these tokens dont match up, access can be denied or revoked.
• Use safe methods of DOM manipulation: Methods such as innerHTML are powerful and potentially dangerous, as they dont limit or escape/encode the values that are passed to them. Using a method like innerText instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks. -Snyk

So, what can developers do, right now?

One of the most immediate things you can do as an individual developer is to check if your source code is vulnerable and how to determine what piece of the information is critical, by using a good scanning tool.

To scan your applications for vulnerable JavaScript code start by using a free SAST tools like GitHuh CodeQL, Snyk, SonarQube, or CodeSec by Contrast that are simple to install and provide an immediate list of vulnerable source code that need updating at no cost.

In the case of CodeSec not only does it also provide a simple integration into GitHub with a free GitHub Action. But also a very easy to install process into either Homebrew, npm or straight to binary.

Ultimately, the goal here is to use a tool that will start scanning your JavaScript projects for vulnerabilities and tell you if it is vulnerable and what line of code needs to be fixed to remediate it.

Closing Thoughts

I encourage everyone to install one of these tools today and try out a scan. Security is not going anywhere and familiarizing yourself with what security insight looks like will be an advantage in the long run.

Free SAST Tools:

1. CodeSec by Contrast
2. Snyk
3. CodeQL
4. SonarQube