27 Jun, 2014

Javascript Security Tools

by Mike McCabe

The world of Javascript is exploding these days with new frameworks, libraries and tools. Everything from Node.js to Backbone.js is becoming more popular for new development and integration with old projects. This presents new issues for security teams and consultants trying to test and protect those applications. Luckily, there are quite a few options for automated and manual Javascript security testing. In this post we’ll go over a few of them and how they can be used to increase the security of your Javascript code.


Similar to Dependency Check or Bundler-Audit, Retire.js looks at your third-party libraries and find any publicly disclosed vulnerabilities that apply. That tool is especially useful when used in conjunction with a CI server to automatically monitor for new vulnerabilities in your third-party libraries.

Retire.js run against Railsgoat, the vulnerable Rails application.

Retire.js can also be used as a Chrome or Firefox extension to notify you of out of date libraries in use on a site. This can be useful during application assessments.


ScanJS is a static analysis tool for JavaScript. ScanJS will create an  AST of your JavaScript, parse it for common sources and sinks and report security issues. It includes 107 rules ranging from DOM XSS to  usage of sensitive APIs. ScanJS can be run as a local server or from the command line. The web UI will allow you to upload files to be analyzed.


JSPrime is another static analysis tool built for JavaScript security testing. JSPrime is similar to ScanJS but it’s built on top of  Esprima, the ECMAScript parser by Aria Hidayat. It also parses the sources and sinks of to detect common DOM XSS vulnerabilities.

JSPrime can be run as a server locally, where JavaScript code is analyzed. The results are displayed in the web UI and include the sources and sinks for each result.

None of these tools are as simple as click ‘go’ and report. The issues that are reported take further research and validation before they could be considered confirmed vulnerabilities. Nonetheless, these tools offer great insight and a starting place to secure your JavaScript projects.

This post only touched on a few of the many tools available to help secure your JavaScript code. We also recommend looking at Dominator Pro, the DOM XSS scanner, Helmet, the security middle-ware for Node.js applications and the DOM-XSS Scanner Checks for Burp. It’s good to know as the world of JavaScript development expands with new frameworks and libraries, the tools and techniques to secure them are evolving as well. We’ll follow up in future posts with more information on how to secure your JavaScript applications.

Mike McCabe is the Director of Professional Services at nVisium Security. In his free time he likes to build and hack on open source projects. He’s a big fan of Burp and set -o vi in his bash profile. Mike also serves as a board member for the OWASP NoVa chapter.