Skip to main content
Aug 22, 2017

“JavaScript: Perils & Opportunities” at Black Hat 2017

At Black Hat 2017, Aaron Lint, VP of Research, and Paul Dant, Senior Security Engineer, explained their philosophies on JavaScript security and discussed the problems and complications faced when deploying JavaScript apps in untrusted environments.

Paul believes that applications are in serious trouble if outside parties have access to source code or to binary that is unprotected against threats like reverse engineering and tampering. JavaScript is so easy to hack because it sends source code in plain text directly to the client, making it easy to analyze, intercept, and modify in transit, and the language is seen everywhere from the database and server level. The simplicity and ability to write abstract code in JavaScript makes it easier to develop, but also harder to maintain security.

Furthermore, Aaron is concerned that mobile app developers have too much faith in the platforms running their apps, when in reality it is easy to obtain a compromised device that will grant hackers control over an app and help them learn what APIs the app uses and how to access them. Hackers can use this information to extract, tamper with, and repackage the code. The language is quick to use and decreases development costs, which makes it attractive to companies, but it can also provide sensitive information to hackers. The code is relatively simple to reverse engineer, which makes it not very interesting to attack. Instead, hackers use JavaScript to gather information to find a more valuable attack. This information can include what forms of authentication are used, what APIs are being called to authenticate users and how they operate, and if there are any tokens or keys that can be extracted.

Even more dangerous, mobile devices using applications for healthcare and payments contain a lot of exploitable information, and many developers use obvious naming techniques in the code they write that make sensitive information easy to uncover. Paul believes that computer science education could be to blame for not teaching developers thoroughly about security. On the company level, most large organizations are pushed to have the fastest, first to market solution to each new advancement in technology, which influences them to set security concerns aside and/or to add it on later in order to release new applications or platforms.

Paul and Aaron agree that if security is an afterthought added onto the product, it’s way too easy to hack. Many products today have these basic flaws, and managers and developers should learn from their mistakes and learn to build in security from the beginning. Paul predicts that “in three years, binary-level analysis, especially on mobile platforms, is all anybody’s going to be talking about and thinking about in terms of solutions.” To learn more about Arxan's JavaScript application security, watch "How Vulnerable Is Your JavaScript Application to Attack?" for a free demo.



Arxan Author

More from the Blog
Dec 04, 2018

Why Magecart Continues to Succeed at Harming Companies

A group known as Magecart has come to light as companies such as Ticketmaster, 
Read more
Nov 26, 2018

How Web App Attacks Bypass Your WAF [Infographic]

Nov 19, 2018

Breaking Down the New California IoT Law

Recently California passed legislation regarding
Read more