JsPrime Javascript static code

analyser

Author : Corina Aionitoaie

Date : 28.10.2014

JsPrime Javascript static code

analyser

Author : Corina Aionitoaie

Date : 28.10.2014

Agenda
1. What is JSPrime?
2. Features
3. How does it work?
4. The good
5. The bad
6. Bibliography

1. What is JSPrime?

light-weight static code analyser

identifies security issues : XSS

written in javascript

2. Features

uses ECMAScript parser : Esprima

easy to use : point-and-click tool!

able to analyse pure javascript, jQuery and YUI code

supports minified javascript

minimum false positives

3. How does it work?

1. Parses code using Exprima

AST (Abstract Syntax Tree)

2. Parses AST to find all:

1. sources
2. assignment operations related to the
sources
3. sinks and their aliases

4. functions (closures & anonymous functions,

too) that are fed with sources and track their
return values

keep track of
their scope

3. How does it work?

3. checks for any filter functions on the sources and rejects
them
4. repeats the process in reverse order assuring reaching the
same sources
5. extracts line numbers and statements & generates report

Demo

4. The good

follows execution order

handles first-class functions

analyses prototype-based inheritance

aware of sources and sinks

analyses taking into consideration variable, objects and

function scopes
known filter function aware

5. The not so good

can't detect 100% of the issues

sources and sinks have to be suplied

can't handle obfuscated javascript

can't report issues in minified javascript, unless beautified

6. Bibliography

http://www.blackhat.com/us-13/archives.html#Patnaik

http://esprima.org/

https://www.youtube.com/watch?v=_N5hTQzYj-0

http://dpnishant.github.io/jsprime/

https://github.com/dpnishant/jsprime