A Pentester's Guide to JavaScript Apps - Pentestmag

A Pentester's Guide to JavaScript Apps

A Pentester's Guide to JavaScript Apps

by Gilad David Maayan

JavaScript is a programming language that began as a simple mechanism for adding logic and interactivity to a web browser. In the past two decades, it became a browser-based programming standard, replacing many other competing languages and technologies, and becoming the primary language for building client-side interfaces in the digital era. 

JavaScript can be used as a tool for cyber security, penetration testing as well as digital forensic investigations.

Penetration testing attempts to simulate the actions a malicious attacker would take to compromise a system or entity. A penetration tester ethically penetrates a system to identify security weaknesses and vulnerabilities. An important function of penetration testers is not just to identify weaknesses and exploit paths but also to provide remediation guidance. 

Penetration testers can gain unique insights about the design, intended use cases, and implementation of a system under test. These insights help them discover vulnerabilities, prove they can be exploited, and then report them to customers. 

Penetration testing usually occurs at the end of the software development lifecycle (SDLC), so it is usually the last chance to find a vulnerability before release. Penetration testing combined with a robust DevSecOps program adds another layer of detection and remediation.

Is JavaScript Secure? 

Like most programming languages, JavaScript has its share of security exploits and vulnerability exposures. JavaScript vulnerabilities allow attackers to manipulate, modify, or steal data and redirect sessions. While JavaScript is most common for client-side applications, JavaScript vulnerabilities can also create security issues in a server-side environment.

Attack vectors

The main attack vectors exploiting JavaScript vulnerabilities are malicious script execution, user session data theft, local browser storage data theft, source code vulnerability exploitation, tricking users into performing malicious actions, and malicious JavaScript file uploads.

Malicious actors often exploit a combination of vulnerabilities in the application’s source code and other JavaScript security gaps. Unfortunately, one JavaScript obfuscation is not enough to hide or prevent these vulnerabilities. 

JavaScript is an interpreted language (not compiled), making it difficult to prevent hackers from examining application code. Obfuscation remains important because it slows down attackers and attempts at reverse engineering, but it should complement additional security measures. 

Public software packages

A major source of security gaps in source code is the use of public libraries and packages. The NPM library, a major JavaScript player, offers over a million packages. The variety of packages available is an advantage, but it also increases the risk of installing packages with hidden vulnerabilities into web applications.

Many developers install packages for simple tasks, creating more dependencies in the project and introducing security issues. Using many packages also has other consequences.

Input validation

Development teams should ensure that all input supplied by the browser is validated where possible and does not contain unexpected characters. For example, phone number fields must only contain numbers and dashes or parentheses—if an input contains other characters, the controls should reject it automatically. Teams can set up filters to identify allowed characters and reject anything that deviates from the allowlist.

Hackers can use specialized tools to bypass validations on the client side and send unverified and potentially malicious data straight to the server. Without further validation on the server side, attackers could corrupt or replace stored data with false data.

How to Perform a Web Application Pentest

1. Planning Phase

During the planning phase, many important decisions are made that directly affect other phases of penetration testing. This includes defining and agreeing on the scope, schedule, and stakeholders that need to be involved.

When defining the scope of a security assessment, there are various factors to consider before proceeding to the next testing phase—which application pages should be tested and whether to run internal tests, external tests, or both.

It is also important to define a schedule for the entire process. This eliminates the need for lengthy evaluations and allows timely implementation of security controls to better protect your applications.

2. Pre-Attack Phase

At this stage, the pentester carries out reconnaissance to lay the groundwork for testing in the next stage. In particular, this includes finding open source intelligence (OSINT) or other publicly available information that could be used against the web application.

During this phase, the pentester can gather information using techniques like port scanning, service discovery, and vulnerability scanning. This can be done using tools like Nmap, Shodan, Google Dorking, and dnsdumpster.

An important part of reconnaissance is understanding whether employees of the organization are present on social networks. This provides opportunities for social engineering. Hackers can trick employees into providing passwords or other sensitive information, and penetration testers should attempt the same methods to penetrate a secure web application.

3. Attack Phase

During the attack phase, penetration testers attempt to exploit vulnerabilities they discovered. They want to go one step further by identifying and mapping attack vectors.

During the attack phase, the penetration tester attempts to compromise the web application or its host server by penetrating its internal structure. Common attack vectors are phishing, exploitation of web application vulnerabilities such as the OWASP Top 10, and specific exploits targeted at software or operating system vulnerabilities on the web server.

4. Post-Attack Phase

Upon completion of the penetration test, a full detailed report is generated. This report may vary depending on the organization or the type of web application tested.

However, penetration testing reports typically include a list of vulnerabilities, analysis of the results, suggested remedial actions, and conclusions. In addition to this, penetration testers are also responsible for restoring system and network configurations to their original state in the post-attack phase.


In this article, I explained the main threats facing JavaScript-based web applications, and provided a four-step process for carrying out a pentest against a web app:

  1. Planning phase - identifying project scope and schedule.
  2. Pre-attack phase - carrying out reconnaissance to identify vulnerabilities in the application and opportunities for social engineering.
  3. Attack phase - exploiting vulnerabilities such as OWASP Top 10 or specific web server and OS vulnerabilities.
  4. Post-attack phase - generating a full report to help the organization identify and remediate vulnerabilities.

I hope this will be useful as you plan your next web application penetration test.

About The Author

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

Image Source 

December 5, 2022
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
1 month ago

After the penetration test is finished, a super mario bros comprehensive report is created. This report might be different based on the company or the web application version tested.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center


Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2],


These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_global_lucky_opt_out, _lo_np_, _lo_cid, _lo_uid, _lo_rid, _lo_v, __lotr
_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz


tr, fr