Secure Code Review and Penetration Testing of Node.js and JavaScript Apps

10 minute read

Security is an illusion and being secure is a relative matter. This means you should always have an eye on your security from any perspective: Physical, human, social, corporate and IT security. Since any system, given enough resources — knowledge, tools and time, can be hacked.

My goal of writing this to show you how to approach and do a systematic secure code review and penetration testing for securing your Node.js and JavaScript apps which are very widespread nowadays. This being abundant enables attackers to have enormous amount of systems that are written in this language and that run on Node.js, browser and the like.

There are two different approaches on this: a) Secure Code Review as a defensive approach to find flaws in a system and trying to secure it. b) Penetration Testing as an offensive approach to find vulnerabilities and weaknesses on a live system.

A. Secure Code Review

Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment. — OWASP Code Review Introduction

As you see, it’s all about auditing, verification and analysis. The OWASP community has proposed a good starting point to do this job. It is called “The OWASP Code Review Project”. It is an technical guide to help the code reviewers find the most flaws under a unified framework.

Two versions of this technical guide is published and version 2.0 being the most recent one, which was published 14 July 2017. The second version, which is thoroughly updated, consists of an introduction to the subject matter, a methodology and a set of technical references for the “OWASP Top 10” things to look for while reviewing code. Various diagrams, methods, risk models and techniques has been discussed. It is argued that the code review process should be a integrated into the Software Development Life-cycle (SDLC), from pre-commit to post-commit phases. Then a risk-based approach to code review has been proposed which tries to anlayze risk with different techniques. A set of code review preparation steps follows a set of static analysis tools. The last part show the S-SDLC as an “Application Threat Modeling” approach which consists of three steps:

Step 1: Decompose the application.
Step 2: Determine and rank threats.
Step 3: Determine countermeasures and mitigation.

Some tools for threat modeling has also been discussed. Lastly, a set of metrics are shown that can help the reviewer with quality and security characteristics of the code-base. Thereafter the code crawling practice is briefly introduced.

The technical reference section consists of the top 10 topics to consider while reviewing code:

A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object Reference
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Functional Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards

This list is partly on par with what is known as the “OWASP Top 10 Project”, with some minor differences, which I do recommend both of these guides to anyone who wants to review code systematically, find flaws and eventually secure the system.

B. Penetration Testing

The second part, after reviewing code, is the penetration testing, which also consists of a set of steps to find and pinpoint vulnerabilities and weaknesses from an attacker’s point of view. Basically, you hack to secure!

A penetration test, colloquially known as a pen test, is an authorized simulated cyber-attack on a computer system, performed to evaluate the security of the system. — Wikipedia, Penetration test

Under the “OWASP Top 10 Project”, three different versions of a set of guidelines has been published up until now, with the most recent one being the 2017 version.

This guide consists of top 10 vulnerabilities to look for while testing an application/system:

A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging & MonitoringAll these security risks may not be present all at once in one application, but one may lead to others and possibly to the compromise of the whole system or network.

There are a set of cheat sheets from the OWASP community that you can read to get an overview of what to expect while securing or testing a system:

https://github.com/OWASP/CheatSheetSeries/tree/master/cheatsheets

OWASP/CheatSheetSeries

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. - OWASP/CheatSheetSeries

https://www.oreilly.com/library/view/defensive-security-handbook/9781491960370

Defensive Security Handbook

Despite the increase of high-profile hacks, record-breaking data leaks, and ransomware attacks, many organizations don’t have the budget to establish or outsource an information security (InfoSec) program, forcing them to … - Selection from Defensive Security Handbook [Book]

https://www.oreilly.com/library/view/securing-node-applications/9781491982426/

Securing Node Applications

Security incidents are indeed on the rise, but according to one authoritative analysis, 85% of all successful exploits focus on the top ten security vulnerabilities. In this report, author Chetan … - Selection from Securing Node Applications [Book]

https://github.com/getify/You-Dont-Know-JS

getify/You-Dont-Know-JS

A book series on JavaScript. @YDKJS on twitter. Contribute to getify/You-Dont-Know-JS development by creating an account on GitHub.

https://exploringjs.com/

Exploring JS: JavaScript books for programmers

Axel has been writing about the future of JavaScript since early 2011. ...

C. Where to Look for Vulnerability Listings

There are many databases that list vulnerabilities and their information and relations. For example, if it is an open-source project, you need to visit the “Issues” section, either on GitHub, GitLab or elsewhere.

There are many bug trackers out there. Some of which are focused on security, e.g. https://security-tracker.debian.org/tracker/.

If it is a proprietary project, you usually should look for public databases, like the company’s website or these websites:

https://www.cvedetails.com/

CVE security vulnerability database. Security vulnerabilities, exploits, references and more

www.cvedetails.com provides an easy to use web interface to CVE vulnerability data. You can browse for vendors, products and versions and view cve entries, vulnerabil...

https://nvd.nist.gov/

NVD - Home

This is a potential security issue, you are being redirected to https://nvd.nist.gov...

D. Programming Knowledge and Experience

It should never be underestimated that for great code review, one needs great programming skills, or at least, an understanding of what is used on the project. Since JavaScript ecosystem has been evolved over the years and many libraries, engines and practices has been developed, one can easily get lost in this vast amount of information.

I do recommend you to have a look at these two gold mines:

https://github.com/sorrycc/awesome-javascript

sorrycc/awesome-javascript

🐢 A collection of awesome browser-side JavaScript libraries, resources and shiny things. - sorrycc/awesome-javascript

https://github.com/sindresorhus/awesome-nodejs

sindresorhus/awesome-nodejs

:zap: Delightful Node.js packages and resources. Contribute to sindresorhus/awesome-nodejs development by creating an account on GitHub.

E. Tools of the Trade

Now that we have a solid ground in terms of methodology and knowledge to work on, we should look at the available tools that can help an reviewer/attacker do their job.

I just list these tools, which I have tested my projects with, and it is up to you to read the documentation and figure out how they work. They are very easy to use in my view.

I have stumbled upon https://github.com/mre/awesome-static-analysis, https://github.com/jesusprubio/awesome-nodejs-pentest and https://www.owasp.org/index.php/Source_Code_Analysis_Tools as an starting point for doing the static analysis of the code. Many tools are listed, some old and some new. What I used for my project is as follows:

Counting lines of code in your project

https://www.npmjs.com/package/cloc

cloc

An npm module for distributing cloc by Al Danial https://github.com/AlDanial/cloc

Auditing your code to see if there are any known vulnerabilities

https://snyk.io/

Snyk | Develop Fast. Stay Secure

Snyk helps you use open source and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and much more.

https://github.com/OSSIndex/auditjs

sonatype-nexus-community/auditjs

Audits an NPM package.json file to identify known vulnerabilities. - sonatype-nexus-community/auditjs

https://github.com/ajinabraham/NodeJsScan

ajinabraham/nodejsscan

nodejsscan is a static security code scanner for Node.js applications. - ajinabraham/nodejsscan

https://github.com/RetireJS/retire.js

RetireJS/retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities - RetireJS/retire.js

https://codeclimate.com/

Engineering Metrics to Improve Continuous Delivery Practices | Velocity

Code Climate provides automated code review for your apps, letting you fix quality and security issues before they hit production. We check every commit, branch and pull request for changes in quality and potential vulnerabilities. If an issue is found, you're notified immediately - it's that simple.

Linting and static analysis of your code inside your editor

https://github.com/dustinspecker/awesome-eslint

dustinspecker/awesome-eslint

A list of awesome ESLint plugins, configs, etc. Contribute to dustinspecker/awesome-eslint development by creating an account on GitHub.

https://github.com/eslint/eslint

eslint/eslint

Find and fix problems in your JavaScript code. Contribute to eslint/eslint development by creating an account on GitHub.

https://github.com/nickdeis/eslint-plugin-no-secrets

nickdeis/eslint-plugin-no-secrets

An eslint plugin to find strings that might be secrets/credentials - nickdeis/eslint-plugin-no-secrets

https://github.com/nodesecurity/eslint-plugin-security

nodesecurity/eslint-plugin-security

ESLint rules for Node Security. Contribute to nodesecurity/eslint-plugin-security development by creating an account on GitHub.

https://github.com/Rantanen/eslint-plugin-xss

Rantanen/eslint-plugin-xss

ESLint plugin for XSS detection. Contribute to Rantanen/eslint-plugin-xss development by creating an account on GitHub.

https://github.com/SonarSource/eslint-plugin-sonarjs

SonarSource/eslint-plugin-sonarjs

SonarJS rules for ESLint. Contribute to SonarSource/eslint-plugin-sonarjs development by creating an account on GitHub.

https://github.com/mozfreddyb/eslint-config-scanjs

mozfreddyb/eslint-config-scanjs

umbrella config to achieve scanjs-like functionality through eslint - mozfreddyb/eslint-config-scanjs

Useful JavaScript libraries for secure development

https://www.defensivejs.com/

Defensive JavaScript home

DJS is a defensive subset of JavaScript: code in this subset runs independently of the rest of the JavaScript environment. When propertly wrapped, DJS code can run safely on unt...

Cloud services that offer security as a service

https://www.cloudflare.com/

Cloudflare - The Web Performance & Security Company | Cloudflare

Here at Cloudflare, we make the Internet work the way it should. Offering CDN, DNS, DDoS protection and security, find out how we can help your site.

https://www.sqreen.com/

Application Security Management Platform | Sqreen

Learn more about Sqreen's application security platform that helps teams protect applications, increase visibility and secure code.

https://detectify.com/

Leading website vulnerability scanner | Free 14 day trial

Web security issues are a major pain, thankfully our website vulnerability scanner identifies issues before they become a problem. Find vulnerabilities before hackers do!

https://semmle.com/

Semmle - Code Analysis Platform for Securing Software

Semmle's code analysis platform helps teams find zero-days and automate variant analysis. Secure your code with continuous security analysis and automated code review.

Most of what I recommended up until now was about secure code review. The following tools are useful for penetration testing:

http://sqlmap.org/

sqlmap: automatic SQL injection and database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a pow...

https://portswigger.net/burp

Burp Suite - Application Security Testing Software

Get Burp Suite. The class-leading vulnerability scanning, penetration testing, and web app security platform. Try for free today.

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

OWASP ZAP Zed Attack Proxy | OWASP

OWASP Chapters All Day - 24hrs of Virtual Chapter Meetings Learn More...

https://github.com/loadimpact/k6

loadimpact/k6

A modern load testing tool, using Go and JavaScript - https://k6.io - loadimpact/k6

https://nmap.org/

Nmap: the Network Mapper - Free Security Scanner

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tas...

https://www.getpostman.com/

Postman | The Collaboration Platform for API Development

Simplify each step of building an API and streamline collaboration so you can create better APIs—faster

Guidelines and best practices

https://github.com/Checkmarx/JS-SCP

Checkmarx/JS-SCP

JavaScript Secure Coding Practices guide. Contribute to Checkmarx/JS-SCP development by creating an account on GitHub.

https://security.berkeley.edu/secure-coding-practice-guidelines

Secure Coding Practice Guidelines | Information Security Office

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided ...

https://www.javascriptjanuary.com/blog/defensive-javascript

Defensive JavaScript — JavaScript January

Many thanks to Google’s Mike Samuel for contributing this article on JavaScript security.

https://snyk.io/blog/comparing-react-and-angular-secure-coding-practices/

Comparing React and Angular secure coding practices | Snyk

Welcome to Snyk's State of JavaScript frameworks security report 2019, this section of the report is about Angular and React projects overall security posture.

https://github.com/lirantal/awesome-nodejs-security

lirantal/awesome-nodejs-security

Awesome Node.js Security resources. Contribute to lirantal/awesome-nodejs-security development by creating an account on GitHub.

Now is your time to sharpen your swords ⚔️ and test them to be ready for attack. Be sure not to cut your fingers. 😉

Although I have presented ways to review code and penetration test on JavaScript and Node.js, the same principles and practices apply to other languages, too. You just have to look up the information on that language.

Finally, your comments and suggestions are much appreciated.

Updated:

Comments