In this post, you will learn quick tips on security vulnerabilities related to Javascript based on analysis of how Javascript assets are managed in DarwinBox, and how to fix those security vulnerabilities.
Security Vulnerabilities found with Javascript Assets
While assessing the Javascript assets of DarwinBox, the following was found:
- Coding: Javascript code could be easily read and understood. There is a need to minimize and uglify the code.
- Method naming: The name of methods leak the implementation details and the underlying technology used. This could be used by hackers for planning attacks. For example, the method such as “doElasticSearch”. This represents that ElasticSearch is used for the search.
- File naming: The name of files represented the models and related structure/relationship. This may not be the best way of naming the files. This information could be used by hackers.
- Access permissions: All of the assets could be accessed from this webpage.
Security Vulnerabilities Fixes
The following could be used to fix the security vulnerabilities mentioned above:
- Minimize/Uglify the javascript and then only put them on CDN
- Avoid naming methods based on underlying technologies. For example, methods such as “doElasticSearch” provide the information that ElasticSearch may be used within for searching.
- Set appropriate access permissions to the different folders in assets. This is a key way of controlling the privacy of website’s assets.
- The name of the JS files should be named appropriately, preferably, in a cryptic manner such that internal models could not be comprehended using the file names.
Summary
In this post, you learned about some of the Javascript security vulnerabilities using examples from DarwinBox.
I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.
Latest posts by Ajitesh Kumar (see all)
- Agentic Reasoning Design Patterns in AI: Examples - October 18, 2024
- LLMs for Adaptive Learning & Personalized Education - October 8, 2024
- Sparse Mixture of Experts (MoE) Models: Examples - October 6, 2024
I found it very helpful. However the differences are not too understandable for me