Security Review of JavaScript Library

Question

Hi,

Can anyone suggest tools or an approach to doing a source code “Security Review” of some JavaScript libraries. Particularly Cross-site scripting (XSS) activities potentially left by an unscrupulous individual.

Ideally a something like the “RATS - Rough Auditing Tool for Security” which can be used for JavaScript, which parses the source code for key words or constructs that indicate a potential vulnerability.

Or

Add to my list of things to pay special attention to / do …
* Check MD5Sum (if there is one!)
* JavaScript Lint (www.javascriptlint.com)
* JS Lint (www.jslint.com)

Look out for following key words ( grep is primed and ready for action): - Javascript, eval, forms, elements, cookie, href, src
- location, hash, host, hostname, href, pathname, port, protocol, search,
- assign, reload replace,
- url, onload, fromCharCode
- Protocols - http ftp ssh telnet (any others?)
- &#\d\d\d Unicode?

Thanks in advance

Mike

Answer 1

I think you should pay special attention to what is passed to document.write, and myDomNode.innerHTML as in

myDomNode.innerHTML = '<b>' + needsToBeEscaped + '</b>';
document.write('<b>' + needsToBeEscaped + '</b>');

Then, for script injection you need to worry about the usual suspects:

eval(...)
new Function(...)

If the application is using local storage, you should look for SQL injection as well.

When constructing URLs for links, or as targets for XMLHttpRequest, any dynamic portions of the URLs should be escaped with encodeURIComponent, and POST bodies for XMLHttpRequest should also be analyzed.

A good resource for potentially malicious patterns is http://code.google.com/p/google-caja/wiki/AttackVectors