JavaScript Static Analysis – Locate Dangerous Functions

By /

Listen to this Post

Featured Image
An open-source analysis tool to detect vulnerabilities in code is Semgrep. You can configure your own detection rules or use rules created by the community.

Dangerous JavaScript Functions and Properties:

– `Element.innerHTML`
– `eval()`
– `window.postMessage()`
– `window.addEventListener()`
– `window.localStorage`
– `window.sessionStorage`
– `document.cookie`

You Should Know:

1. Using Semgrep for Static Code Analysis

Install Semgrep and scan JavaScript files for dangerous patterns:

pip install semgrep 
semgrep --config=p/javascript.best-practice dangerous-functions.js

2. Detecting `eval()` and `innerHTML` Misuse

Create a custom Semgrep rule (`dangerous-functions.yaml`):

rules: 
- id: dangerous-eval 
pattern: eval(...) 
message: "Avoid eval() due to XSS risks" 
severity: ERROR 
- id: unsafe-innerhtml 
pattern: document.innerHTML = ... 
message: "Unsafe innerHTML usage detected" 
severity: WARNING

Run the scan:

semgrep --config=dangerous-functions.yaml your_code.js

3. Mitigating `postMessage` Security Risks

Always validate message origins:

window.addEventListener("message", (event) => { 
if (event.origin !== "https://trusted-site.com") return; 
// Process message 
});

4. Securing `localStorage` and `sessionStorage`

Avoid storing sensitive data:

 Check for exposed storage in browser console 
console.log(localStorage);

5. Auditing `document.cookie` for Security Flags

Ensure cookies have:

Secure; HttpOnly; SameSite=Strict

Check cookies via:

curl -I http://example.com | grep -i set-cookie

What Undercode Say:

Static analysis tools like Semgrep help identify risky JavaScript functions before deployment. Always sanitize inputs, avoid eval(), and enforce strict CSP headers. For secure coding, combine automated scanning with manual code reviews.

Expected Output:

┌─────────────┬──────────────┬───────────┐ 
│ File │ Vulnerability │ Severity │ 
├─────────────┼──────────────┼───────────┤ 
│ script.js │ eval() │ ERROR │ 
│ index.html │ innerHTML │ WARNING │ 
└─────────────┴──────────────┴───────────┘

Prediction:

Increased adoption of AI-powered static analyzers will reduce XSS vulnerabilities in JavaScript by 40% in 2025.

Relevant URLs:

References:

Reported By: Sarveshkumar0 Infosec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: