Whitepaper: Javascript Security Scanning

Modern web applications rely heavily on JavaScript for everything from simple DOM manipulation to complex single-page applications. Developers now have a wide range of frameworks to choose from that enable full stack development in a single language, combing both front

But with great power comes great responsibility, and significant security risks. That's why we've reworked how handles Javascript scanning through an intelligent scanning system that automatically detects vulnerabilities in both frontend and backend JavaScript code.

The Challenge: JavaScript's Security Blind Spots

JavaScript presents unique security challenges that traditional static analysis tools often miss. Client-side code runs in the browser where attackers have direct access, while server-side Node.js applications handle sensitive data and business logic.

Frontend vulnerabilities like DOM-based XSS can execute malicious scripts directly in users' browsers, while backend vulnerabilities such as SQL injection can compromise entire databases. The problem? Most security tools treat all JavaScript the same, leading to irrelevant findings and missed critical issues. The security context of a .js or .ts file completely changes depending if it's frontend or backend code. This is particularly true with frameworks such as Next.js where a single code-base is handling both front-end and back-end logic.

Not being able to distinguish between the two during scans means that scan times can take much longer as you need to check for more types of vulnerabilities, false positives skyrocket and application context is muddied for the LLM as certain frameworks are opinionated on how things should be structured.

How did we solve this problem?

While scanning, it's important for Corgea to understand the code it's dealing with and route it's scanning engine to the appropriate methodology, so it's important to understand: Is this frontend javascript or backend javascript?

Our system uses a multi-layered approach that combines intelligent code analysis with context-aware scanning:

1. Intelligent Frontend/Backend Detection

Corgea automatically determines whether JavaScript code is frontend or backend by using a multi-layered methodology:

• Framework signatures: Detects React, Angular, Vue.js for frontend vs Express, Fastify, NestJS for backend

• Code patterns: Identifies DOM manipulation (`document.getElementById`, `window.location`) vs server patterns (`require('fs')`, `app.listen()`)

• Import statements: Distinguishes browser APIs from Node.js modules

Take for example this code, which is clearly backend Javascript code because it has a db connection, and is creating a node.js server.

const http = require('http');
const _ = require('lodash');
const qs = require('querystring');
const semver = require('semver');
const JSON5 = require('json5');
const { sequelize, User, Password } = require('./init_db');
const sqlite3 = require("sqlite3").verbose();
const db = new sqlite3.Database("./data.db");
const mysql = require('mysql2');
const fs = require('fs');
const path = require('path');


const connection = mysql.createConnection({
  host: 'localhost',
  user: 'root',
  password: 'topsecret',
  database: 'database'
});

connection.connect((err) => {
  if (err) {
      console.error('Error connecting to the MySQL database:', err);
  } else {
      console.log('Connected to the MySQL database.');
  }
});

const hostname = '0.0.0.0';
const port = 3000;

const server = http.createServer((req, res) => {
  ...

This context-aware detection ensures that each file is scanned with the appropriate security rules. While this seems very obvious at first and that it would be clear cut, we faced a lot of edge cases to consider as some files don't exhibit frontend or backend signals.

This md5 checksum function doesn't have any clues if it's used for backend or frontend code making it difficult to know how to treat it, so we default to treating it as backend.

/**
 * Creates an MD5 checksum of the given input string.
 * @param {string} input - The input string to hash.
 * @returns {string} The MD5 hash as a hexadecimal string.
 */
function md5Checksum(input) {
  const crypto = require('crypto');
  return crypto.createHash('md5').update(input, 'utf8').digest('hex');
}

2. Specialized Scanning Engines

Based on the outcomes of the frontend/backend detection, we fork scanning down two different paths.

Corgea applies different security rules based on the execution environment. For example:

• Frontend: Focuses on DOM XSS, open redirects, insecure storage, and cross-origin messaging

• Backend: Prioritizes SQL injection, command injection, path traversal, and authentication bypass
  This targeted approach eliminates false positives while ensuring real threats aren't missed.

For Frontend JavaScript, we created a dedicated rulesets that specializes in client-side vulnerabilities:

// Corgeacan detects this DOM XSS vulnerability
function updateContent(userInput) {
    document.getElementById('output').innerHTML = userInput; // Dangerous!
}
// And this code injection risk
function executeUserCode(code) {
    eval(code); // Critical vulnerability
}

For Backend JavaScript, our LLM-powered scanner understands server-side context. We find we need a lot more intelligence here to detect things like business logic flaws, IDORs, mass assignments, etc.:

// Corgea identifies this SQL injection
app.get('/users', (req, res) => {
  const query = `SELECT * FROM users WHERE id = ${req.query.id}`;
  db.query(query); // Vulnerable to injection
});

3. Advanced False Positive Reduction

Our system includes sophisticated logic to distinguish between real vulnerabilities and safe code patterns:

// Corgea knows this is SAFE (React's built-in protection)
function SafeComponent({ userInput }) {
  return <div>{userInput}</div>; // JSX auto-escapes
}
// But flags this as DANGEROUS
function VulnerableComponent({ userInput }) {
  return <div dangerouslySetInnerHTML={{__html: userInput}} />; // XSS risk
}

Conclusion

JavaScript security is evolving rapidly with new frameworks, APIs, and attack vectors emerging constantly. Corgea's JavaScript scanning framework is designed to adapt, with regular updates to our detection rules and scanning engines to stay ahead of emerging threats.