Shulou(Shulou.com)05/31 Report--

This article is about how to use js-x-ray to detect common malicious behaviors in JavaScript and Node.js. I think it is very practical, so I share it with you. I hope you can get something after reading this article.

Js-x-ray

Js-x-ray is a powerful open source SAST scanning tool, which is essentially a static analysis tool, which can help researchers to detect common malicious behaviors & patterns in JavaScript and Node.js.

The tool performs JavaScript AST analysis, and its purpose is to export Node-Secure AST Analysis for better code evolution and to allow developers and researchers better access. The main goal of the tool is to help developers and security researchers quickly identify dangerous code and patterns. However, if we want to fully parse the output of the tool, we still need some security knowledge.

The goal of the project is to successfully detect all suspicious JavaScript code, that is, code that is clearly added or injected for malicious purposes. Most of the time, network attackers try to hide the behavior of their code to avoid triggering the detection engine or making it more difficult for analysts. The task of js-x-ray is to understand and analyze these patterns to help us detect malicious code.

Function introduction

Retrieve the dependencies and files required by js

Detect unsafe regular expressions

Get a warning when there is a problem with AST parsing or a statement cannot be followed

Highlight common attack patterns and API calls

Ability to track and analyze dangerous global js usage

Detect obfuscated code and, where possible, tools used

Tool installation

The js-x-ray package can be obtained directly from the Node package code library, or it can be installed online using npm or yarn:

$npm I js-x-ray# or$ yarn add js-x-ray tool use

Create a local .js file with the following:

Try {require ("http");} catch (err) {/ / do nothing} const lib = "crypto"; require (lib); require ("util"); require (Buffer.from ("6673", "hex"). ToString ())

Next, use the "js-x-ray" command to analyze the target JavaScript code:

Const {runASTAnalysis} = require ("js-x-ray"); const {readFileSync} = require ("fs"); const str = readFileSync (". / file.js", "utf-8"); const {warnings, dependencies} = runASTAnalysis (str); const dependenciesName = [... dependencies]; const inTryDeps = [... dependencies.getDependenciesInTryStatement ()]; console.log (dependenciesName); console.log (inTryDeps); console.log (warnings)

The analysis returns http, crypto, util, and fs.

Many suspicious code examples that can be analyzed are also provided in the cases directory of the project, and interested students can use js-x-ray to analyze them.

Returned warning

Name

Description

Parsing-error

Error parsing JavaScript code using meriyah. This means that the conversion from string to AST failed.

Unsafe-import

Unable to track import (require, require.resolve) statement/expr.

Unsafe-regex

Regular expressions have been detected as insecure and may be used in ReDoS attacks.

Unsafe-stmt

Dangerous statements were used, such as eval () or Function ("").

Unsafe-assign

A protected global process is assigned.

Encoded-literal

Encoded text (which can be hexadecimal values, unicode sequences, Base64 strings, and so on) was detected.

Short-identifiers

This means that the average length of all identifiers is less than 1.5. Can be returned only if the file contains more than 5 identifiers.

Suspicious-literal

This means that the sum of suspicious scores for all words is greater than 3.

Obfuscated-code (experimental)

The code may be obfuscated.

APIrunASTAnalysisinterface RuntimeOptions {module?: boolean; isMinified?: boolean;}

The first parameter this method receives is the code we need to analyze, which returns a Report object:

Interface Report {dependencies: ASTDeps; warnings: Warning []; idsLengthAvg: number; stringScore: number; isOneLineRequire: boolean;} generateWarninginterface WarningOptions {location: Location; file?: string; value?: string;} rootLocation ()

Returns a default SourceLocation with the following:

{start: {line: 0, column: 0}, end: {line: 0, column: 0} license agreement

The development and release of this project follows the MIT open source license agreement.

The above is how to use js-x-ray to detect common malicious behavior in JavaScript and Node.js. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.