4

I want to include a feature to add a sort function on an HTML table on my site, using the tablesorter library.

I would be using this on a part of the site that requires a login to access data. But I am worried the library might sneak in malware or try to exfiltrate the data that is displayed in the table. What should I look for in the JS file to make sure that I am not making data on the site vulnerable by including this JS that someone else has written?

I would be hosting the script on my servers and wouldn't be linking out to a 3rd party file.

Anders
  • 64,406
  • 24
  • 178
  • 215
Don85203
  • 43
  • 4
  • Are you worried about the authors of the package deliberately sneaking in malware? Or are you concerned about accidental bugs? – Anders Feb 12 '18 at 18:48
  • I'm worried about sneaking malware as well as being able to output the data housed in the table.I searched through the JS file and found reference to http|ftp, but there didn't seem to be a url specified. – Don85203 Feb 12 '18 at 19:31
  • 1
    After reviewing the code, make sure to include the file using [subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), so it doesn't get execited anymore if the code is modified. – Sjoerd Feb 13 '18 at 12:31

3 Answers3

5

One imperfect solution is to rely on reputation. Does the library have many users? Lots of downloads at GitHub or npm? An active community? Do any large established actors use it? A backdoor in jQuery would have been discovered by now, but one in a small obscure library might not.

If that is not good enough for you, the next step is to go through the code. There are some heuristics you can use. Obfuscated code is a big red flag. So are any unexpected HTTP requests using e.g. XHR or fetch. But a clever attacker can hide code to exfiltrate data - an unsuspicous looking image tag could be used to make a HTTP request for instance. So don't expect to be able to do this with grep. If you have doubts, maybe you should aim for at least a superficial understanding of the entire code base.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

You should be looking for:

  • Passwords
  • Encrypted passwords like hashes
  • Encrypted / scrambled code
  • References to external websites, like IP addresses, domain names

These are common signs of backdoor in web based code.

Aria
  • 2,706
  • 11
  • 19
1

For the lib you linked you could audit the code by looking at it. The file you would link inside <script> tags should be read through. I would recommend AGAINST using the jquery-latest.js and instead using the version from the jquery homepage (since his version is minified).

That being said, while looking through jquery.tablesorter.js ... it looks to be pretty benign. It is roughly 1,000 lines of well documented code. Even if you dont know the syntax of javascript itself ... if you understand programming you should be able to look through the existing code and understand the flow of it. As Aria stated it shouldn't contain IPs or Domain names unless they are in comments to further document the code (which does appear in this code).

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • 2
    If you have to explain to someone that JavaScript appears in a script tag then they probably don't have the skills to carry out an effective security audit of the code – symcbean Feb 13 '18 at 15:49