JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME

Black Hat USA 2013

Presented by: Nishant Das Patnaik, Sarathi Sabyasachi Sahoo
Date: Wednesday July 31, 2013
Time: 15:30 - 16:30
Location: Roman 2

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice in-secure coding which leads to many clients side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A javascript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

Upcoming features:

Nishant Das Patnaik

Nishant Das Patnaik is an application security researcher by passion and profession. He is currently working as a Paranoid at Yahoo! India. Prior to Yahoo!, he worked as a Security Analyst at eBay Inc. He has about 5 years of experience in application security engineering & testing and has released couple of security advisories for popular hardware, native and web applications. You can find more information at http://nishant.daspatnaik.com.

Sarathi Sabyasachi Sahoo

Sarathi Sabyasachi Sahoo is a highly experienced web & mobile application developer by passion and profession. He has more than seven years of experience in developing complex algorithms and writing high-performance applications that can scale at ease. He is an aspiring entrepreneur in the Web 2.0 industry.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats