Security/B2G/JavaScript code analysis

< Security‎ | B2G

Contents

Objective

The purpose of this document is to collect JavaScript code analysis tools suitable for including in coming Mozilla projects or for internal use.

Criteria list

Each tool is evaluated by a set of criteria chosen to provide a quick overview of the tool's capabilities and opportunities for integration into existing environments.

Homepage
Code
Target user group
Analysis type
Programming language
License
Operating system
Current version
Interface
Output

Links to check out

Projects

DOM XSS Scanner

Summary

DOM XSS Scanner is an online tool for scanning web pages and JavaScript code for potential DOM based XSS security vulnerabilities.

Criteria

Homepage http://www.domxssscanner.com/info/about
Code https://github.com/yaph/domxssscanner
Target user group pentesters, reviewers, developers
Analysis type static
Programming language Python 2.7 / Django, JavaScript
License none
Operating system any
Current version (2013-02-12)
Interface Web browser
Output html

Features

Applications

Links

Esprima

Summary

ECMAScript parsing infrastructure for multipurpose analysis

Criteria

Homepage http://esprima.org
Code https://github.com/ariya/esprima
Target user group Developers, tool writers
Analysis type static AST
Programming language JavaScript
License BSD
Operating system any
Current version 1.0.3 (2013-05-17)
Interface node.js, rhino, js
Output

Features

  • Full support for ECMAScript 5.1 (ECMA-262)
  • Sensible syntax tree format, compatible with Mozilla Parser AST
  • Optional tracking of syntax node location (index-based and line-column)
  • Heavily tested (> 600 tests with solid statement and branch coverage)
  • Experimental support for ES6/Harmony (module, class, destructuring, ...)

Applications

  • keyword / statement histogram
  • identifier length distribution
  • boolean logic checking
  • variable scope / pollution checking
  • complexity checking
  • statement coverage

Links

JSCert

Summary

The JSCert project aims to really understand JavaScript. We are building models of ECMAScript semantics in the Coq proof assistant, and automated logical reasoning tools built on those semantics.

Criteria

Homepage http://jscert.org/
Code
Target user group researchers
Analysis type static semantic modelling
Programming language Coq
License
Operating system
Current version WIP
Interface Command line interface
Output XML

Features

Applications

Links

jsgrep

Summary

grep for the AST

Criteria

Homepage https://github.com/facebook/jsgrep
Code https://github.com/facebook/jsgrep
Target user group
Analysis type static AST
Programming language node.js
License Apache License 2.0
Operating system any
Current version (2012-04-23)
Interface comman line interface
Output stdout, grep-style

Features

Applications

Links

JShint

Summary

JSHint is a community-driven tool to detect errors and potential problems in JavaScript code and to enforce your team's coding conventions. It is very flexible so you can easily adjust it to your particular coding guidelines and the environment you expect your code to execute in.

Criteria

Homepage http://www.jshint.com
Code https://github.com/jshint/jshint/
Target user group Developers
Analysis type static AST
Programming language JavaScript
License MIT variant
Operating system any
Current version 2.1.10 (2013-08-15)
Interface node.js, rhino, js
Output jslint, checkstyle XML

Features

Applications

Links

JSPrime

Summary

JSPrime is a light-weight JavaScript source code scanner for identifying security issues using static analysis, built on Esprima.

Criteria

Homepage http://www.jsprime.org
Code https://github.com/dpnishant/jsprime
Target user group developers, reviewers, pentesting
Analysis type static AST
Programming language JavaScript
License MIT
Operating system any
Current version (2013-08-08)
Interface node.js, js
Output html report

Features

  • Variable & function tracing (part of JSPrime code flow analysis algorithm)
  • Variable & function scope-aware analysis (part of JSPrime code flow analysis algorithm)
  • Known filter function aware
  • OOP & protoype compliant
  • Minimum false positive alerts
  • Supports minified javascript
  • Blazing fast performance
  • Point and click
  • Upcoming features:
    • Automatic code de-obfuscation & decompression through Hybrid Analysis (link)
    • ECMAScript family support (ActionScript 3, Node.JS, WinJS)
  • Limitations
    • It can't learn sinks and sources automatically
    • It can't handle obfuscation
    • It can't handle minified JS, requires beautification
    • It can't analyse dynamically-generated code (using eval et al.)

Applications

Links

JSWebTools

Summary

Over the past several years, we've developed semantics foundations for JavaScript, built tools atop these foundations, and applied these tools to Web security problems. We've recently started tackling other Web technologies as well. All our work is open source.

Criteria

Homepage http://www.jswebtools.org/
Code https://github.com/brownplt/
Target user group security researchers
Analysis type static semantic modelling
Programming language ML, Haskell, Coq, PLT, probably more
License BSD
Operating system any
Current version WIP
Interface Command line interface
Output  ? (need to run)

Features

Applications

  • jQuery-types :: a typechecker for jQuery client programs
  • ADsafety :: verifying language-based Web sandboxes
  • Static Analysis for Intrusion Detection :: finding attacks on AJAX-based applications
  • Flapjax :: a language and library for reactive web applications

Links

ScanJS

Summary

Static analysis tool for javascript codebases. Scanjs uses Esprima to convert sources to AST, then walks AST looking for patterns. It works on both client and server side.

Criteria

Homepage https://github.com/freddyb/scanjs
Code https://github.com/freddyb/scanjs
Target user group reviewers
Analysis type static
Programming language node.js / js
License MPL
Operating system any
Current version (2013-08-05)
Interface command line interface
Output html

Features

Applications

Links

Watchtower

Summary

Static Code Analysis tool designed to assist in code reviews. It offers a robust alternative to grep for finding matches on literal and regex-based strings within a project.

Criteria

Homepage https://github.com/chrisallenlane/watchtower
Code https://github.com/chrisallenlane/watchtower
Target user group reviewers
Analysis type static
Programming language Ruby
License GPLv3
Operating system any
Current version 1.4.8 (2013-09-02)
Interface command line interface
Output html, csv, xml, txt

Features

Applications

Links