js-x-ray: static analysis of detecting most common malicious patterns

js-x-ray

JavaScript AST analysis. This package has been created to export the Node-Secure AST Analysis to enable better code evolution and allow better access to developers and researchers.

The goal is to quickly identify dangerous code and patterns for developers and security researchers. Interpreting the results of this tool will still require you to have a set of security notions.

JavaScript AST analysis

Goals

The objective of the project is to successfully detect all potentially suspicious JavaScript codes. The target is codes that are added or injected for malicious purposes.

Most of the time these hackers will try to hide the behavior of their codes as much as possible to avoid being spotted or easily understood… The work of the library is to understand and analyze these patterns that will allow us to detect malicious code.

Features Highlight

  • Retrieve required dependencies and files for Node.js.
  • Detect unsafe RegEx.
  • Get warnings when the AST Analysis as a problem or when not able to follow a statement.
  • Highlight common attack patterns and API usages.
  • Capable to follow the usage of dangerous Node.js globals.
  • Detect obfuscated code and when possible the tool that has been used.

This section describes all the possible warnings returned by JSXRay.

name description
parsing-error An error occurred when parsing the JavaScript code with meriyah. It means that the conversion from string to AST as failed. If you encounter such an error, please open an issue here.
unsafe-import Unable to follow an import (require, require.resolve) statement/expr.
unsafe-regex A RegEx as been detected as unsafe and may be used for a ReDoS Attack.
unsafe-stmt Usage of a dangerous statement like eval() or Function("").
unsafe-assign Assignment of a protected global like process or require.
encoded-literal An encoded literal has been detected (it can be an hexa value, Unicode sequence, base64 string, etc)
short-identifiers This mean that all identifiers has an average length below 1.5. Only possible if the file contains more than 5 identifiers.
suspicious-literal This mean that the sum of suspicious score of all Literals is bigger than 3.
obfuscated-code (experimental) There’s a very high probability that the code is obfuscated…

Install & Use 

Copyright (c) 2021 NodeSecure