JS Pentest visual

Once Marc Andreessen said that software is eating the world. Today we can say that JavaScript is eating the software. Since the introduction of Node.js and npm the usage of JavaScript in projects across the different sectors increased exponentially. JavaScript is now everywhere! From traditional web based applications to desktop and mobile applications you can see the fingerprints of JS. Right now I am writing these lines using VS Code which is purely written in JavaScript. Isn’t it amazing? However, over popularity of JavaScript means that it became a honeypot for attackers. By writing exploits (malware, trojans) in JavaScript hackers now can affect applications; thus more people. Do you remember the event-stream event? When a single attack to the popular package affected 2 millions of people weekly for two months until it was detected. That is why it is crucial for developers to pay more attention to the security of JavaScript application now then ever before.

Below you can find the list of automative tools that can help you find vulnerable packages in your JavaScript applications. But, remember, this is only the first step in securing your applications.

1. npm audit

npm audit is a new command that performs a moment-in-time security review of your project’s dependency tree. Audit reports contain information about security vulnerabilities in your dependencies and can help you fix a vulnerability by providing simple-to-run npm commands and recommendations for further troubleshooting.

2. Snyk

Even if npm audit gives you a good amount of information, you need try a snyk automated tool to discover the vulnerabilities and patch them. You can read more about differences between snyk and npm audit in the post by Igor Shmukler.

3. retirejs

Retirejs is another tool for detecting vulnerable libraries used by the JavaScript application. What I like about this tool is that it has Chrome and Firefox extensions, which can be very handy if you are developing web application.