Preventing the Usage of Vulnerable JavaScript Libraries
Overview
In this short informational blog post we would like to
- point out the dangers of deploying vulnerable third-party JavaScript libraries in web projects and
- reference 2 tools that check for outdated libraries.
Issue
Recent context of this topic is a new study in which researchers systematically scanned more than 133.000 prominent websites for outdated JavaScript libraries [1]. Result of this study is that more than a third of the scanned websites employ at least one library with a known vulnerability. Many sites even ship JavaScript libraries which have not been updated for years.
Third-party JavaScript libraries are often handy for quickly building up interactive and good-looking web application, but are later forgotten or seen as a static asset. Reluctance to update third-party libraries also originates from the fact that such updates often entail new testing efforts.
However, from a security perspective the world is changing every day. Even for the most widespread libraries, those which are often considered mature and reasonably secure, the publication of a single vulnerability can put thousands of websites at stake from one day to the other. Typical vulnerabilities in JavaScript libraries often allow attackers to perform cross-site scripting attacks and thus impair the security of all website users. A more detailed discussion of risks when employing third-party JavaScript libraries in web application projects can be found on the following OWASP page: [5].
Staying up to date
We recommend to regularly check whether new library versions are available. Ideally, one project member should subscribe to security or announcements newsletters of vital third-party dependencies (if such channels exist). Of course, this task of manually staying up to date is tedious and prone to incidents slipping through the net. Hence, we additionally recommend two little tools here which help to recognise whether outdated third-party libraries are used. Both tools are free software.
Retire.js
Retire.js is a light-weight tool that scans a specified folder for references to vulnerable JavaScript libraries [4]. A list of vulnerable libraries including links to a description of the respective vulnerabilities is shipped with Retire.js. Hence, Retire.js has to be updated regularly (e.g. via git pull). For testing, it can also be integrated into grunt, used as a Chrome or Firefox plugin or inside the HTTP proxies Burp and OWASP Zap.
OWASP Dependency Check
In this regard, we also recommend using “OWASP Dependency Check” [2]. This utility scans a project for dependencies (e.g. all jar files in the project path) and checks those against vulnerability databases (e.g. the well-known NIST CVE database [3]). Currently, it primarily aims at Java and .NET projects. In addition to the simple usage as a command line tool, Dependency Check can be integrated into the automated build process (plugins for Maven, Ant, Gradle and Jenkins are available).
References
[1] http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdf
[2] https://www.owasp.org/index.php/OWASP_Dependency_Check
[3] https://web.nvd.nist.gov/view/vuln/search
[4] https://retirejs.github.io/retire.js/
[5] https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet
Recent posts
Update – WordPress Author Security
Update: Our WordPress Author Security Plugin is now available in the WordPress Plugin Store.
WordPress Author Security
How can you actively prevent usernames from being enumerated on WordPress author pages?
Pentest FAQ – #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: Questions #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
Attack Afternoon – CSRF Countermeasures #2
CSRF Countermeasures #2: Another way to protect against CSRF – stateless – is the Double Submit Cookie method.
NinjaDVA – Our Training Environment
The NinjaDVA is our comfortable and flexible training environment.