Reg comments134

Today's WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere

Your dependencies are not dependable

Javascript photo via Shutterstock

The web has a security problem: code libraries. Almost 88 per cent of the top 75,000 websites and 47 per cent of .com websites rely on at least one vulnerable JavaScript library.

As described in a recently published paper, "Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web," researchers from Northeastern University in Boston, Massachusetts, have found that many websites rely widely on insecure versions of JavaScript libraries and that there's no immediate way to eliminate this problem.

The web is full of JavaScript, the most popular development technology outside of the mobile world, at least by Stack Overflow's measure. "Notorious for security vulnerabilities," as the paper's six authors put it, JavaScript has come to depend on a wide variety of libraries that extend its capabilities, such as jQuery, Angular, and Bootstrap.

These libraries simplify common development patterns like manipulating HTML page elements, providing application structure, and simplifying user interface construction.

Unfortunately, JavaScript libraries may not be kept up-to-date and there's no agreed-upon system for ensuring that web apps don't load vulnerable library code.

The researchers looked at 75,000 of the top Alexa-ranked websites and at 75,000 randomly chosen .com websites. They found at least 36.7 per cent of jQuery, 40.1 per cent of Angular, 86.6 per cent of Handlebars, and 87.3 per cent of YUI (the discontinued Yahoo! User Interface Library) implementations employ a vulnerable version.

"Alarmingly, many sites continue to rely on libraries like YUI and SWFObject that are no longer maintained," the paper says. "In fact, the median website in our dataset is using a library version 1,177 days older than the newest release, which explains why so many vulnerable libraries tend to linger on the web."

To make matters worse, many websites include multiple versions of libraries, thereby increasing the potential for vulnerabilities. And third-party modules that implement advertising, tracking, or social media functions may come with embedded JavaScript that loads more libraries, any of which could be out of date.

"If not isolated in a frame, these libraries gain full privileges in the including site's context," the paper says. "Thus, even if a web developer keeps library dependencies updated, outdated versions may still be included by badly maintained third-party content."

The researchers say there's no easy fix, noting that existing remediation strategies look doubtful because "less than 3 per cent of websites could fix all their vulnerable libraries by applying only patch-level updates." For the rest, the update required would introduce incompatibilities that could break the application.

Many JavaScript libraries get served by content delivery networks (CDNs), some of which provide a way to serve the most up-to-date version of a library through a feature called version aliasing. This allows a developer to specify that either a minimum version of a library, or a more recent version, if available, gets served to a requesting application.

But the researchers found only 1.1 per cent of websites that depend on jQuery implement this capability.

The paper recommends greater use of systematic approaches to dependency management and of tools like Auditjs (for Node.js applications). But it suggests progress will be slow without a generally accepted mechanism to track and disseminate JavaScript library vulnerability information.

"Unfortunately, security does not appear to be a priority in the JavaScript library ecosystem," the researchers conclude. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017