What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop

by alexandre gigleux|

Our JavaScript and TypeScript SAST engines filter the Vulnerabilities out of OWASP JuiceShop.

In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did in the past for these languages. With this post, we’re going to tell you what you can expect for these languages, and more specifically which vulnerabilities can be detected.

While working on improving our engine, we struggled to find a publicly available benchmark for JS/TS that could be used to assess the power of our engine. On Java, it was easy; the OWASP Benchmark is public and well-known. But for JS/TS, it’s almost an empty landscape.

We finally decided to rely on a famous training app called OWASP JuiceShop which is written in JS/TS. It wasn't designed to test SAST analyzers, but to train developers. Nevertheless, we’ve adopted it as our measuring stick because it's written to demonstrate exactly the kinds of insecure code we need to find.

Vulnerability Types Supported

The SonarCloud JavaScript and TypeScript SAST analysis can detect 39 Security Hotspots and 28 Vulnerabilities. Among them, 13 are detected thanks to our Taint Analysis technology on which we focused recently. Here is the list as a reference of 13 injection vulnerabilities you can prevent thanks to SonarCloud:

  • S3649: Database queries should not be vulnerable to injection attacks
  • S5334: Dynamic code execution should not be vulnerable to injection attacks
  • S5131: Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
  • S6096: Extracting archives should not lead to zip slip vulnerabilities
  • S5146: HTTP request redirections should not be open to forging attacks
  • S2083: I/O function calls should not be vulnerable to path injection attacks
  • S5696: Modifying the DOM should not lead to cross-site scripting (XSS) attacks
  • S6105: Modifying the DOM should not lead to open redirect vulnerabilities
  • S5147: NoSQL operations should not be vulnerable to injection attacks
  • S5883: OS commands should not be vulnerable to argument injection attacks
  • S2076: OS commands should not be vulnerable to command injection attacks
  • S2631: Regular expressions should not be vulnerable to Denial of Service attacks
  • S5144: Server-side requests should not be vulnerable to forging attacks

Performance

A precise SAST analysis is useless if it provides results hours or days after pull requests were created. Context switching would kill your velocity. If you get results in hours, you are probably already working on something else by the time they arrive. It would cost you precious time to get up to speed on this previous activity. At SonarSource, we consider speed of analysis as a key feature of a SAST solution. We worked hard to keep analysis time under control while exploring more paths and providing more precise results. 

The OWASP JuiceShop project is considered by SonarCloud as medium-sized with its 34K LOCs. It can be analyzed very quickly.

SonarCloud and Local Analysis

If you want to reproduce and explore the vulnerabilities we listed here, we invite you to clone the JuiceShop project and run your own scan on SonarCloud.io.

On an average machine made of an Intel Core i5 3570 @ 3.40 GHz + 16Go of RAM, scanning the OWASP JuiceShop should take less than 6 minutes.

With SonarCloud and Automatic Analysis

SonarCloud can automatically scan projects made with JavaScript or TypeScript. On this  shared infrastructure, JuiceShop can be scanned in an average of 8 minutes.

Ground Truth & Results

Vulnerability TypeScopeFileLineDetected?
SQL InjectionServerroutes/login.js29Y
SQL InjectionServerroutes/search.js14Y
XSSClientfrontend/src/app/search-result/search-result.component.html13N
XSSClientfrontend/src/app/track-result/track-result.component.html8N
SSRFServerroutes/profileImageUrlUpload.js19Y
Open RedirectServerroutes/redirect.js16Y
NoSQL InjectionServerroutes/likeProductReviews.js15
18
25
35
Y
Y
Y
Y
NoSQL InjectionServerroutes/createProductReviews.js15Y
NoSQL InjectionServerroutes/order.js132Y
NoSQL InjectionServerroutes/updateProductReviews.js14Y
Code InjectionServerroutes/b2bOrder.js19N
Code InjectionServerroutes/showProductReviews.js29Y
Code InjectionServerroutes/trackOrder.js15Y

As of April 2021, SonarCloud detects 13 of the 16 injection vulnerabilities. It means SonarCloud automatically detects 81% of all the injection vulnerabilities in JuiceShop.

Conclusion

With SonarCloud, you can make sure your Node.js / Express.js contains no injection vulnerabilities and this is proven by the scan of the famous OWASP JuiceShop project. Today, SonarCloud covers the majority of the injection vulnerabilities a developer can introduce on server-side.

In the coming months, we are going to focus on client-side vulnerabilities and detect XSS vulnerabilities, in particular the ones that are highlighted by OWASP JuiceShop. Our goal is 100% detection in Juice Shop. Then we'll move on to get good results on the OpenSSF CVE Benchmark.

Note: if you are a SonarQube user, you have access to the same security engine starting from SonarQube Developer Edition 8.9 LTS