Characterizing JavaScript Security Code Smells

TL;DR

This paper identifies and characterizes 24 JavaScript security code smells, maps them to CWE, and implements detection mechanisms to improve security awareness and code quality in JavaScript applications.

Contribution

It introduces a novel set of 24 JavaScript security code smells, maps them to CWE, and extends an existing tool for their detection.

Findings

Identified 24 security code smells specific to JavaScript.

Mapped security smells to CWE for better understanding.

Extended detection tools to identify these security smells.

Abstract

JavaScript has been consistently among the most popular programming languages in the past decade. However, its dynamic, weakly-typed, and asynchronous nature can make it challenging to write maintainable code for developers without in-depth knowledge of the language. Consequently, many JavaScript applications tend to contain code smells that adversely influence program comprehension, maintenance, and debugging. Due to the widespread usage of JavaScript, code security is an important matter. While JavaScript code smells and detection techniques have been studied in the past, current work on security smells for JavaScript is scarce. Security code smells are coding patterns indicative of potential vulnerabilities or security weaknesses. Identifying security code smells can help developers to focus on areas where additional security measures may be needed. We present a set of 24 JavaScript security code smells, map them to a possible security awareness defined by Common Weakness Enumeration (CWE), explain possible refactoring, and explain our detection mechanism. We implement our security code smell detection on top of an existing open source tool that was proposed to detect general code smells in JavaScript.