Why bother with JavaScript security?

The Web runs on JavaScript. If you are a software developer, chances are you are writing JavaScript. Even if you are not, you rely on tools and applications written in this popular language. You would not be reading this article without JavaScript.

A lot has been written about Web security. Many software engineers know what SQL injection is and can tell cross-site scripting (XSS) from cross-site request forgery (CSRF). And yet, security issues that are unique to JavaScript remain unknown to many developers.

Unfortunately, this does not mean that those vulnerabilities cannot be exploited by attackers seeking fame, fortune, or revenge. They certainly can.

A series is born

The goal of this blog post series is to help you become a better JavaScript developer. I will help you to build a strong mental model of the most prevalent vulnerabilities that plague JavaScript code. Follow along to learn how to write secure and robust code that prevents them.

Here be dragons

JavaScript is a bit of an odd animal in the programming language menagerie. Rapid development and massive popularity gave us language features and coding patterns that may easily lead to exploitable security bugs.

1. Dynamic typing. JavaScript variables can refer to objects of different types. A variable can refer to a number, a string, or an object, depending on the flow of control. When you look at the code, you do not always know the types of your variables. It may lead to unintentional information disclosure or other security issues.
2. Dynamic code execution. JavaScript programs can invoke the JavaScript engine at runtime. It sounds like a really powerful feature, and it is. Also, this is what attackers dream about: the ability to inject their code into your application.
3. Prototype pollution. JavaScript has a pretty unusual inheritance mechanism. Instead of expressing static relationships between classes, the same goal is achieved by building dynamic relationships between objects. If attackers can modify the objects forming the prototype chain, they may alter the behavior of your code in unforeseen ways.

This series of posts will look into those problems in detail. It will also offer actionable guidance on how to find and avoid them.

What’s next?

The next post in this series will explain the JavaScript security model in two most popular runtime environments: Web browsers and Node.js.

Video course

I am also working on a video course JavaScript Security: Best Practices on Pluralsight. It will be a part of the JavaScript Core Language learning path. Learn more on the Courses page and subscribe to the newsletter to get regular updates about the progress.