Characterizing JavaScript Security Code Smells
Vikas Kambhampati, Nehaz Hussain Mohammed, Amin Milani Fard
TL;DR
JavaScript's dynamic and weakly-typed nature makes security issues hard to detect and maintain. The authors enumerate 24 security code smells for JavaScript, map each to CWE and OWASP categories, and extend the open-source JSNose tool to detect them via static and dynamic analysis. The work provides a concrete detection pipeline, refactoring guidance, and an empirical validation on a simple web app, while discussing limitations and threats to validity. The contributions offer developers a structured way to identify security weaknesses in JavaScript code and set the stage for broader empirical studies and ML-based smell detectors.
Abstract
JavaScript has been consistently among the most popular programming languages in the past decade. However, its dynamic, weakly-typed, and asynchronous nature can make it challenging to write maintainable code for developers without in-depth knowledge of the language. Consequently, many JavaScript applications tend to contain code smells that adversely influence program comprehension, maintenance, and debugging. Due to the widespread usage of JavaScript, code security is an important matter. While JavaScript code smells and detection techniques have been studied in the past, current work on security smells for JavaScript is scarce. Security code smells are coding patterns indicative of potential vulnerabilities or security weaknesses. Identifying security code smells can help developers to focus on areas where additional security measures may be needed. We present a set of 24 JavaScript security code smells, map them to a possible security awareness defined by Common Weakness Enumeration (CWE), explain possible refactoring, and explain our detection mechanism. We implement our security code smell detection on top of an existing open source tool that was proposed to detect general code smells in JavaScript.