Unlocking JavaScript Secrets: Insights from 5 Million Apps

Post Views: 19

Exposed Secrets in JavaScript Bundles

A recent analysis of 5 million applications has shed light on the prevalence of sensitive information, such as API keys and credentials, being hidden in plain sight within JavaScript bundles. This issue has been a long-standing concern, but the sheer scale of the problem has only recently come to light.

The Scale of the Problem

The research, which utilized a novel secrets detection method, uncovered over 42,000 exposed tokens across 334 different secret types. These tokens were not limited to low-value test keys or inactive credentials, but rather included active, critical credentials that were effectively bypassing standard security controls.

Exposed Tokens for Code Repository Platforms

One of the most significant risks identified was the exposure of tokens for code repository platforms, such as GitHub and GitLab. A total of 688 tokens were found, many of which were still active and granted full access to repositories. In one instance, a GitLab personal access token was embedded directly in a JavaScript file, allowing access to all private repositories within the organization, including sensitive CI/CD pipeline secrets.

Other Exposed Secrets

Another notable exposure involved an API key for a project management application, Linear, which was embedded directly in front-end code. This token exposed the organization’s entire Linear instance, including internal tickets, projects, and links to downstream services and SaaS projects.

Other exposed secrets included access to CAD software APIs, mailing lists, campaigns, and Webhooks for chat and automation platforms. Additionally, 213 Slack, 2 Microsoft Teams, 1 Discord, and 98 Zapier tokens were found, all of which were active.

Limitations of Traditional Scanners

The reason these secrets are being missed is largely due to the limitations of traditional scanners, which do not adequately account for the complexities of JavaScript code. Traditional scanners rely on searching known paths and applying regular expressions to match known secret formats, but this approach can miss secrets that require the scanner to spider the application or authenticate.

Ineffectiveness of SAST and DAST Tools

Furthermore, Static Application Security Testing (SAST) tools, which analyze source code to identify vulnerabilities, are not effective in detecting secrets within JavaScript bundles. This is because SAST methods do not cover the full picture, and some secrets can slip through the gaps in a way that static analysis cannot detect.

Dynamic Application Security Testing (DAST) tools, which are more robust and can scan applications in a more comprehensive manner, are not typically used for secrets detection in application front-ends due to their complexity, cost, and maintenance requirements.

Conclusion

The issue of secrets being introduced during the build and deployment process, which can bypass shift-left controls, is a growing concern. As automation and AI-generated code become more prevalent, this problem is likely to worsen. Therefore, single-page application spidering is necessary to catch secrets before they reach production.

To mitigate this issue, organizations should implement automated secrets detection methods that can effectively identify and flag sensitive information within JavaScript bundles. This can help prevent the exposure of critical credentials and reduce the risk of security breaches.