Changes

Jump to: navigation, search

Security/B2G/JavaScript code analysis

10,632 bytes added, 17:27, 3 September 2013
new
= Objective =
The purpose of this document is to collect JavaScript code analysis tools suitable for including in coming Mozilla projects or for internal use.
= Criteria list =
Each tool is evaluated by a set of criteria chosen to provide a quick overview of the tool's capabilities and opportunities for integration into existing environments.

{|
| Homepage ||
|-
| Code ||
|-
| Target user group ||
|-
| Analysis type ||
|-
| Programming language ||
|-
| License ||
|-
| Operating system ||
|-
| Current version ||
|-
| Interface ||
|-
| Output ||
|}

= Links to check out =
* [X] https://air.mozilla.org/static-analysis/
* [X] http://cf.cs.ucsb.edu/static/ (timeout)
* [X] http://jscert.org/tools.html
* [X] http://www.jswebtools.org/
* [X] http://doctorjs.org/ (broken)
* [X] http://www.checkmarx.com/technology/application-security-testing/
* [X] https://github.com/chrisallenlane/watchtower
* [X] http://research.microsoft.com/en-us/projects/nozzle/
* [X] [http://www.youtube.com/watch?v=ACYZFkvq0Sk Javascript Code Analysis with Esprima]
* [X] http://jscomplexity.org
* [X] [http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf Automated Analysis of Security-Critical JavaScript APIs (PDF)]
* [X] [http://www.slideshare.net/nishantdp/jsprime-bhusa13new JavaScript Static Security Analysis made easy with JSPrime (slideshare)]
* [X] [http://www.slideshare.net/null0x00/secure-java-scriptfordevelopers Secure JavaScript for developers (slideshare)]
* [X] https://github.com/brownplt
* [X] http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
* [ ] [http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en//pubs/archive/37199.pdf Automated Analysis of Security-Critical JavaScript APIs (PDF)]
* [ ] https://github.com/mishoo/UglifyJS
* [ ] https://github.com/substack/node-falafel
* [ ] https://github.com/substack/node-burrito
* [ ] https://developers.google.com/closure/ (useful JS analysis by compiler)
= Projects =
== DOM XSS Scanner ==
=== Summary ===
DOM XSS Scanner is an online tool for scanning web pages and JavaScript code for potential DOM based XSS security vulnerabilities.
=== Criteria ===
{|
| Homepage || http://www.domxssscanner.com/info/about
|-
| Code || https://github.com/yaph/domxssscanner
|-
| Target user group || pentesters, reviewers, developers
|-
| Analysis type || static
|-
| Programming language || Python 2.7 / Django, JavaScript
|-
| License || none
|-
| Operating system || any
|-
| Current version || (2013-02-12)
|-
| Interface || Web browser
|-
| Output || html
|-
|}
=== Features ===
=== Applications ===
=== Links ===
== Esprima ==
=== Summary ===
ECMAScript parsing infrastructure for multipurpose analysis
=== Criteria ===
{|
| Homepage || http://esprima.org
|-
| Code || https://github.com/ariya/esprima
|-
| Target user group || Developers, tool writers
|-
| Analysis type || static AST
|-
| Programming language || JavaScript
|-
| License || BSD
|-
| Operating system || any
|-
| Current version || 1.0.3 (2013-05-17)
|-
| Interface || node.js, rhino, js
|-
| Output ||
|}
=== Features ===
* Full support for ECMAScript 5.1 (ECMA-262)
* Sensible syntax tree format, compatible with Mozilla Parser AST
* Optional tracking of syntax node location (index-based and line-column)
* Heavily tested (> 600 tests with solid statement and branch coverage)
* Experimental support for ES6/Harmony (module, class, destructuring, ...)
=== Applications ===
* keyword / statement histogram
* identifier length distribution
* boolean logic checking
* variable scope / pollution checking
* complexity checking
* statement coverage
=== Links ===
* [http://www.youtube.com/watch?v%3DACYZFkvq0Sk Javascript Code Analysis with Esprima (YouTube)]
== JSCert ==
=== Summary ===
The JSCert project aims to really understand JavaScript. We are building models of ECMAScript semantics in the Coq proof assistant, and automated logical reasoning tools built on those semantics.
=== Criteria ===
{|
| Homepage || http://jscert.org/
|-
| Code ||
|-
| Target user group || researchers
|-
| Analysis type || static semantic modelling
|-
| Programming language || Coq
|-
| License ||
|-
| Operating system ||
|-
| Current version || WIP
|-
| Interface || Command line interface
|-
| Output || XML
|-
|}
=== Features ===
=== Applications ===
=== Links ===
* [http://www.doc.ic.ac.uk/~gds/TowardsProgramLogicJavaScriptPOPL2012.pdf Towards a Program Logic for JavaScript (PDF)]
* http://jscert.org/publications.html
== jsgrep ==
=== Summary ===
grep for the AST
=== Criteria ===
{|
| Homepage || https://github.com/facebook/jsgrep
|-
| Code || https://github.com/facebook/jsgrep
|-
| Target user group ||
|-
| Analysis type || static AST
|-
| Programming language || node.js
|-
| License || Apache License 2.0
|-
| Operating system || any
|-
| Current version || (2012-04-23)
|-
| Interface || comman line interface
|-
| Output || stdout, grep-style
|-
|}
=== Features ===
=== Applications ===
=== Links ===
== JShint ==
=== Summary ===
JSHint is a community-driven tool to detect errors and potential problems in JavaScript code and to enforce your team's coding conventions. It is very flexible so you can easily adjust it to your particular coding guidelines and the environment you expect your code to execute in.
=== Criteria ===
{|
| Homepage || http://www.jshint.com
|-
| Code || https://github.com/jshint/jshint/
|-
| Target user group || Developers
|-
| Analysis type || static AST
|-
| Programming language || JavaScript
|-
| License || MIT variant
|-
| Operating system || any
|-
| Current version || 2.1.10 (2013-08-15)
|-
| Interface || node.js, rhino, js
|-
| Output || jslint, checkstyle XML
|-
|}
=== Features ===
=== Applications ===
=== Links ===
== JSPrime ==
=== Summary ===
JSPrime is a light-weight JavaScript source code scanner for identifying security issues using static analysis, built on Esprima.
=== Criteria ===
{|
| Homepage || http://www.jsprime.org
|-
| Code || https://github.com/dpnishant/jsprime
|-
| Target user group || developers, reviewers, pentesting
|-
| Analysis type || static AST
|-
| Programming language || JavaScript
|-
| License || MIT
|-
| Operating system || any
|-
| Current version || (2013-08-08)
|-
| Interface || node.js, js
|-
| Output || html report
|-
|}
=== Features ===
* Variable & function tracing (part of JSPrime code flow analysis algorithm)
* Variable & function scope-aware analysis (part of JSPrime code flow analysis algorithm)
* Known filter function aware
* OOP & protoype compliant
* Minimum false positive alerts
* Supports minified javascript
* Blazing fast performance
* Point and click
* Upcoming features:
** Automatic code de-obfuscation & decompression through Hybrid Analysis ([http://code.google.com/p/ra2-dom-xss-scanner link])
** ECMAScript family support (ActionScript 3, Node.JS, WinJS)
* Limitations
** It can't learn sinks and sources automatically
** It can't handle obfuscation
** It can't handle minified JS, requires beautification
** It can't analyse dynamically-generated code (using eval et al.)
=== Applications ===
=== Links ===
* [https://media.blackhat.com/us-13/US-13-Patnaik-Javascript-Static-Security-Analysis-made-easy-with-JSPrime-Slides.pdf JavaScript Static Security Analysis made easy with JSPrime (PDF)]
== JSWebTools ==
=== Summary ===
Over the past several years, we've developed semantics foundations for JavaScript, built tools atop these foundations, and applied these tools to Web security problems. We've recently started tackling other Web technologies as well. All our work is open source.
=== Criteria ===
{|
| Homepage || http://www.jswebtools.org/
|-
| Code || https://github.com/brownplt/
|-
| Target user group || security researchers
|-
| Analysis type || static semantic modelling
|-
| Programming language || ML, Haskell, Coq, PLT, probably more
|-
| License || BSD
|-
| Operating system || any
|-
| Current version || WIP
|-
| Interface || Command line interface
|-
| Output || ? (need to run)
|-
|}
=== Features ===
=== Applications ===
* jQuery-types :: a typechecker for jQuery client programs
* ADsafety :: verifying language-based Web sandboxes
* Static Analysis for Intrusion Detection :: finding attacks on AJAX-based applications
* Flapjax :: a language and library for reactive web applications
=== Links ===
* http://www.jswebtools.org/papers/
* [http://www.youtube.com/watch?v%3DPd7Fra8vPok Project overview on YouTube]
== ScanJS ==
=== Summary ===
Static analysis tool for javascript codebases. Scanjs uses Esprima to convert sources to AST, then walks AST looking for patterns. It works on both client and server side.
=== Criteria ===
{|
| Homepage || https://github.com/freddyb/scanjs
|-
| Code || https://github.com/freddyb/scanjs
|-
| Target user group || reviewers
|-
| Analysis type || static
|-
| Programming language || node.js / js
|-
| License || MPL
|-
| Operating system || any
|-
| Current version || (2013-08-05)
|-
| Interface || command line interface
|-
| Output || html
|-
|}
=== Features ===
=== Applications ===
=== Links ===
== Watchtower ==
=== Summary ===
Static Code Analysis tool designed to assist in code reviews. It offers a robust alternative to grep for finding matches on literal and regex-based strings within a project.
=== Criteria ===
{|
| Homepage || https://github.com/chrisallenlane/watchtower
|-
| Code || https://github.com/chrisallenlane/watchtower
|-
| Target user group || reviewers
|-
| Analysis type || static
|-
| Programming language || Ruby
|-
| License || GPLv3
|-
| Operating system || any
|-
| Current version || 1.4.8 (2013-09-02)
|-
| Interface || command line interface
|-
| Output || html, csv, xml, txt
|-
|}
=== Features ===
=== Applications ===
=== Links ===
Confirm
184
edits

Navigation menu