Skip to content

Contrast Scan Adds Support for Client-Side JavaScript - The World’s Most Popular Programming Language

By Joe Coletta

January 5, 2022

AppSec

    
Contrast Scan Adds Support for Client-Side JavaScript - The World’s Most Popular Programming Language

If you’re looking for the TL;DR version of this announcement, here it is: Contrast Scan has expanded its language coverage to include front-end languages with support for client-side JavaScript (JS) and jQuery. Now that we’ve got that covered, let’s get into the details. Contrast’s mission is to become the world’s most complete secure coding platform with Contrast Scan acting as the tip of the spear to deliver fast, actionable results directly within developers’ pipelines. It only makes sense that we expand our use case beyond server-side languages and expand into the front-end. Analyst firm Red Monk reports on the most popular programming languages and JavaScript has consistently ranked as #1. That makes sense considering client-side JS is used in 97% of the world’s websites. With this addition to the Contrast Secure Code Platform, customers can take advantage of real-time security telemetry for their server-side languages while also achieving full coverage for their client-side JS code as well. 

Securing the client-side security is commonly linked with tools like bot management or WAFs. After all, in 2021, web applications were the second most common attack vector for confirmed breaches according to data from the latest edition of Verizon’s Data Breach Investigation Report (DBIR). What’s more important is that, among those confirmed web application breaches, vulnerability exploits were found to be among the top execution paths. Code-level exploits like XSS or Magecart attacks are the vehicle for attackers to exfiltrate sensitive customer data through session hijacking, clickjacking, credential harvesting…you get the idea. 

Because JavaScript runs on the client’s browser, it must be downloaded on the browser in order to work. Therefore, without the proper safeguards, JavaScript can be manipulated on the client’s machine, leaving it subject to attackers attempting to access, read or modify it. This is especially a concern for vanilla JavaScript applications that may not use a modern framework like jQuery, Angular, or React. If you factor in the fact that the JavaScript ecosystem is enormous with thousands third-party JS dependencies making up the majority of most web applications, the problem becomes much more complicated. Early detection of code-level vulnerabilities is the most consistent and cost-effective approach to protecting client-side JavaScript. 

Now we can get into the details beyond the headlines. Contrast Scan has added support for both Vanilla client-side JavaScript and jQuery. The engine we’ve built for JS is governed by the same philosophy that has made Contrast Scan among the fastest, most accurate static code analyzers on the market. Contrast Scan utilizes a demand-driven scan methodology. In plain English, that means that we don’t flood developers with erroneous results but rather focus only on exploitable findings by performing deep data flow analysis on any vulnerable entry point within the application.

For JavaScript, we scan the same artifact used by the browser for full effectiveness and compatibility. This presents a couple notable benefits:

  • From a user perspective, there is one and only one thing to scan. Users upload the packaged JS artifact and get results back in seconds. 
  • The browser bundle supports formats like webpack, browserify, map files, and anything else, to match results with transpilers and code generators - meaning we can map results to the specific line of code more accurately. Regardless of the syntax you use for JavaScript like TypeScript, or Babble, if it compiles into JavaScript, we’ll test it. Period.  

The Contrast CLI already allows developers to scan for vulnerable JS libraries before commits. With all that in mind, Contrast users are able to test the full scope of their custom and third-party JS code through a single, centralized platform. 

We have already begun work on expanding our JavaScript support including support for additional frameworks like React and Angular along with aggregating results across custom code and third-party JavaScript libraries. We’ll be sure to provide updates as we continue to expand our JavaScript use case. 

If you’d like to hear more about how Contrast can cover your entire software stack from front-end to back-end, feel free to reach out to us to schedule a demo and our team would be happy to help. 

Joe Coletta

Joe Coletta

Joe Coletta is a Sr. Product Marketing Manager at Contrast Security focusing on Open Source Security. Entering the AppSec field as a Security Program Manager, Joe has consulted dozens of organizations of varying sizes on how to work cross-functionally in order to scale their application security programs. Applying this frontline knowledge to a product marketing career, Joe develops go-to-market resources that capture the voice of AppSec practitioners in both Security and Development. On a personal note, Joe divvies his free time between reading, drawing, and Brazilian Jiu Jitsu