Js-X-Ray : JavaScript & Node.js Open-Source SAST Scanner

Js-X-Ray is a JavaScript AST analysis. This package has been created to export the Node-Secure AST Analysis to enable better code evolution and allow better access to developers and researchers.

The goal is to quickly identify dangerous code and patterns for developers and Security researchers. Interpreting the results of this tool will still require you to have a set of security notions.

Goals

The objective of the project is to successfully detect all potentially suspicious JavaScript codes.. The target is obviously codes that are added or injected for malicious purposes..

Most of the time these hackers will try to hide the behaviour of their codes as much as possible to avoid being spotted or easily understood… The work of the library is to understand and analyze these patterns that will allow us to detect malicious code..

Features Highlight

  • Retrieve required dependencies and files for Node.js.
  • Detect unsafe RegEx.
  • Get warnings when the AST Analysis as a problem or when not able to follow a statement.
  • Highlight common attack patterns and API usages.
  • Capable to follow the usage of dangerous Node.js globals.
  • Detect obfuscated code and when possible the tool that has been used.

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i js-x-ray
or
$ yarn add js-x-ray

Usage Example

Create a local .js file with the following content:

try  {
    require("http");
}
catch (err) {
    // do nothing
}
const lib = "crypto";
require(lib);
require("util");
require(Buffer.from("6673", "hex").toString());

Then use js-x-ray to run an analysis of the JavaScript code:

const { runASTAnalysis } = require("js-x-ray");
const { readFileSync } = require("fs");

const str = readFileSync("./file.js", "utf-8");
const { warnings, dependencies } = runASTAnalysis(str);

const dependenciesName = [...dependencies];
const inTryDeps = [...dependencies.getDependenciesInTryStatement()];

console.log(dependenciesName);
console.log(inTryDeps);
console.log(warnings);

The analysis will return: http (in try), crypto, util and fs.

⚠️ There is also a lot of suspicious code example in the root cases directory. Feel free to try the tool on these files.

Warnings Legends (v2.0+)

Node-secure versions equal or lower than 0.7.0 are no longer compatible with the warnings table below.

This section describe all the possible warnings returned by JSXRay.

NameDescription
parsing-errorAn error occured when parsing the JavaScript code with meriyah. It mean that the conversion from string to AST as failed. If you encounter such an error, please open an issue here.
unsafe-importUnable to follow an import (require, require.resolve) statement/expr.
unsafe-regexA RegEx as been detected as unsafe and may be used for a ReDoS Attack.
unsafe-stmtUsage of dangerous statement like eval() or Function("").
unsafe-assignAssignment of a protected global like process or require.
encoded-literalAn encoded literal has been detected (it can be an hexa value, unicode sequence, base64 string etc)
short-identifiersThis mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers.
suspicious-literalThis mean that the sum of suspicious score of all Literals is bigger than 3.
obfuscated-code (experimental)There’s a very high probability that the code is obfuscated…

API

  • runASTAnalysis(str: string, options?: RuntimeOptions): Report
  • generateWarning(kind: string, options?: WarningOptions): Warning< BaseWarning >
  • rootLocation(): SourceLocation
R K

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

4 days ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

4 days ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

5 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

7 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

1 week ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

1 week ago