Blog post

What to expect from JavaScript/TypeScript analysis on OWASP JuiceShop

Alexandre Gigleux photo

Alexandre Gigleux

Product Manager

Date

  • SonarQube Cloud
  • Security
  • SonarQube Server
In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did...

In April 2021, we updated our JavaScript and TypeScript SAST engines to explore more execution flows, increase performance and improve overall accuracy. It now goes far beyond what we did in the past for these languages. With this post, we’re going to tell you what you can expect for these languages, and more specifically which vulnerabilities can be detected.


While working on improving our engine, we struggled to find a publicly available benchmark for JS/TS that could be used to assess the power of our engine. On Java, it was easy; the OWASP Benchmark is public and well-known. But for JS/TS, it’s almost an empty landscape.


We finally decided to rely on a famous training app called OWASP JuiceShop which is written in JS/TS. It wasn't designed to test SAST analyzers, but to train developers. Nevertheless, we’ve adopted it as our measuring stick because it's written to demonstrate exactly the kinds of insecure code we need to find.

Vulnerability Types Supported

The SonarQube Cloud JavaScript and TypeScript SAST analysis can detect 39 Security Hotspots and 28 Vulnerabilities. Among them, 13 are detected thanks to our Taint Analysis technology on which we focused recently. Here is the list as a reference of 13 injection vulnerabilities you can prevent thanks to SonarQube Cloud:

  • S3649: Database queries should not be vulnerable to injection attacks
  • S5334: Dynamic code execution should not be vulnerable to injection attacks
  • S5131: Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
  • S6096: Extracting archives should not lead to zip slip vulnerabilities
  • S5146: HTTP request redirections should not be open to forging attacks
  • S2083: I/O function calls should not be vulnerable to path injection attacks
  • S5696: Modifying the DOM should not lead to cross-site scripting (XSS) attacks
  • S6105: Modifying the DOM should not lead to open redirect vulnerabilities
  • S5147: NoSQL operations should not be vulnerable to injection attacks
  • S5883: OS commands should not be vulnerable to argument injection attacks
  • S2076: OS commands should not be vulnerable to command injection attacks
  • S2631: Regular expressions should not be vulnerable to Denial of Service attacks
  • S5144: Server-side requests should not be vulnerable to forging attacks

Performance

A precise SAST analysis is useless if it provides results hours or days after pull requests were created. Context switching would kill your velocity. If you get results in hours, you are probably already working on something else by the time they arrive. It would cost you precious time to get up to speed on this previous activity. At SonarSource, we consider speed of analysis as a key feature of a SAST solution. We worked hard to keep analysis time under control while exploring more paths and providing more precise results. 


The OWASP JuiceShop project is considered by SonarQube Cloud as medium-sized with its 34K LOCs. It can be analyzed very quickly.

SonarQube Cloud and Local Analysis

If you want to reproduce and explore the vulnerabilities we listed here, we invite you to clone the JuiceShop project and run your own scan on SonarQube Cloud.io.


On an average machine made of an Intel Core i5 3570 @ 3.40 GHz + 16Go of RAM, scanning the OWASP JuiceShop should take less than 6 minutes.

With SonarQube Cloud and Automatic Analysis

SonarQube Cloud can automatically scan projects made with JavaScript or TypeScript. On this  shared infrastructure, JuiceShop can be scanned in an average of 8 minutes.

Ground Truth & Results

Vulnerability TypeScopeFileLineDetected?
SQL InjectionServerroutes/login.js29Y
SQL InjectionServerroutes/search.js14Y
XSSClientfrontend/src/app/search-result/search-result.component.html13N
XSSClientfrontend/src/app/track-result/track-result.component.html8N
SSRFServerroutes/profileImageUrlUpload.js19Y
Open RedirectServerroutes/redirect.js16Y
NoSQL InjectionServerroutes/likeProductReviews.js15
18
25
35
Y
Y
Y
Y
NoSQL InjectionServerroutes/createProductReviews.js15Y
NoSQL InjectionServerroutes/order.js132Y
NoSQL InjectionServerroutes/updateProductReviews.js14Y
Code InjectionServerroutes/b2bOrder.js19N
Code InjectionServerroutes/showProductReviews.js29Y
Code InjectionServerroutes/trackOrder.js15Y

As of April 2021, SonarQube Cloud detects 13 of the 16 injection vulnerabilities. It means SonarQube Cloud automatically detects 81% of all the injection vulnerabilities in JuiceShop.

Conclusion

With SonarQube Cloud, you can make sure your Node.js / Express.js contains no injection vulnerabilities and this is proven by the scan of the famous OWASP JuiceShop project. Today, SonarQube Cloud covers the majority of the injection vulnerabilities a developer can introduce on server-side.


In the coming months, we are going to focus on client-side vulnerabilities and detect XSS vulnerabilities, in particular the ones that are highlighted by OWASP JuiceShop. Our goal is 100% detection in Juice Shop. Then we'll move on to get good results on the OpenSSF CVE Benchmark.


Note: if you are a SonarQube Server user, you have access to the same security engine starting from SonarQube Server Developer Edition 8.9 LTS

  • Legal documentation
  • Trust center
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.