Javascript security vulnerabilities checklist

Tools to check javascript security vulnerabilities

1) npm install
If you are using npm install in your application, make sure you keep all packages updated to the latest versions.

2) Snyk tool
You can signup for Synk tool for free and add repo to check issues.
Synk can be integrated with Github repository and it can create pull requests, and fix issues partially.

3) Github dependentbot
You can enable Github dependentbot from Security tab of your Github repository and enable it to automatically create pull requests and do updates.
It has basically similar features as Synk tool.

4) Appsensor
Appsensor is another tool for real-time event detection, analysis and response. More details can be found here.

5) OWASP.org
Always follow security guidelines while developing your application code as mentioned on OWASP official website.

Cross site scripting (XSS)

  • This occurs when javascript code can be added through input fields.
  • Always pass data as string or escape special/html characters.

Broken authentication

  • Always used multi factor authentication (MFA) for passwords and where user data is involved.
  • For text password use bcrypt/crypto
  • Never use session id in browser (session libraries)
  • Use HTTPS (SSL), http protocol is unsecure.
  • Overall auth – auth0 (check who should have what access, create roles etc.)

Sensitive data

  • If user data or private data is used encrypt it using bcrypt/crypto algorithms
  • Code and functions used jscrambler.com
  • Always use secure HTTPS, use SSL on the websites

XML External Entities

  • Always create well formed xml entities.
  • If hackers can malformed xml code then they can create (DOS) denial of service attack through the malformed xml header requests.
  • SAST tool can be used to scan xml code issues

Security misconfigurations

  • Never use dev version for prod
  • Never all logging statements in prod
  • Never keep debugging is on in prod
  • Use strict password configurations, never use default credentials
  • Never add console.log statements for sensitive data
  • Always use proper roles for access control

Insecure deserialization

  • Use serialize packages which doesn’t use eval() method

Insufficient logging and monitoring

  • Setup google analytics or elasticsearch etc. to check user requests
  • Enable user logs, server logs, activity logs etc.