Javascript Security Vulnerabilities Examples (DarwinBox)

In this post, you will learn quick tips on security vulnerabilities related to Javascript based on analysis of how Javascript assets are managed in DarwinBox, and how to fix those security vulnerabilities.

Security Vulnerabilities found with Javascript Assets

While assessing the Javascript assets of DarwinBox, the following was found:

• Coding: Javascript code could be easily read and understood. There is a need to minimize and uglify the code.
• Method naming: The name of methods leak the implementation details and the underlying technology used. This could be used by hackers for planning attacks. For example, the method such as “doElasticSearch”. This represents that ElasticSearch is used for the search.
• File naming: The name of files represented the models and related structure/relationship. This may not be the best way of naming the files. This information could be used by hackers.
• Access permissions: All of the assets could be accessed from this webpage.

Security Vulnerabilities Fixes

The following could be used to fix the security vulnerabilities mentioned above:

• Minimize/Uglify the javascript and then only put them on CDN
• Avoid naming methods based on underlying technologies. For example, methods such as “doElasticSearch” provide the information that ElasticSearch may be used within for searching.
• Set appropriate access permissions to the different folders in assets. This is a key way of controlling the privacy of website’s assets.
• The name of the JS files should be named appropriately, preferably, in a cryptic manner such that internal models could not be comprehended using the file names.

Summary

In this post, you learned about some of the Javascript security vulnerabilities using examples from DarwinBox.