Preventing the Usage of Vulnerable JavaScript Libraries

Overview

In this short informational blog post we would like to

• point out the dangers of deploying vulnerable third-party JavaScript libraries in web projects and
• reference 2 tools that check for outdated libraries.

Issue

Recent context of this topic is a new study in which researchers systematically scanned more than 133.000 prominent websites for outdated JavaScript libraries [1]. Result of this study is that more than a third of the scanned websites employ at least one library with a known vulnerability. Many sites even ship JavaScript libraries which have not been updated for years.

Third-party JavaScript libraries are often handy for quickly building up interactive and good-looking web application, but are later forgotten or seen as a static asset. Reluctance to update third-party libraries also originates from the fact that such updates often entail new testing efforts.

However, from a security perspective the world is changing every day. Even for the most widespread libraries, those which are often considered mature and reasonably secure, the publication of a single vulnerability can put thousands of websites at stake from one day to the other. Typical vulnerabilities in JavaScript libraries often allow attackers to perform cross-site scripting attacks and thus impair the security of all website users. A more detailed discussion of risks when employing third-party JavaScript libraries in web application projects can be found on the following OWASP page: [5].

Staying up to date

We recommend to regularly check whether new library versions are available. Ideally, one project member should subscribe to security or announcements newsletters of vital third-party dependencies (if such channels exist). Of course, this task of manually staying up to date is tedious and prone to incidents slipping through the net. Hence, we additionally recommend two little tools here which help to recognise whether outdated third-party libraries are used. Both tools are free software.

Retire.js

Retire.js is a light-weight tool that scans a specified folder for references to vulnerable JavaScript libraries [4]. A list of vulnerable libraries including links to a description of the respective vulnerabilities is shipped with Retire.js. Hence, Retire.js has to be updated regularly (e.g. via git pull). For testing, it can also be integrated into grunt, used as a Chrome or Firefox plugin or inside the HTTP proxies Burp and OWASP Zap.

OWASP Dependency Check

In this regard, we also recommend using “OWASP Dependency Check” [2]. This utility scans a project for dependencies (e.g. all jar files in the project path) and checks those against vulnerability databases (e.g. the well-known NIST CVE database [3]). Currently, it primarily aims at Java and .NET projects. In addition to the simple usage as a command line tool, Dependency Check can be integrated into the automated build process (plugins for Maven, Ant, Gradle and Jenkins are available).