As part of my NodeSecure project, one of my objectives was to succeed in detecting various and varied “malicious” codes that have been listed through various attacks.
When we talk about static analysis, it is therefore a question of analyzing a source code without ever executing it (otherwise it is rather a dynamic analysis). For this we will transform the code into AST format which will make the analysis of the code much simpler.
I recently gave a talk in French on the manipulation of AST in JavaScript which I recommend you watch. It is with these techniques that I managed to create my JS-X-Ray project (which is a SAST -> Static Application Security Testing tool).
Other talks related to Abstract Syntax Trees:
- Machine Powered Refactoring: Leverage AST's to Push Your Legacy Code (& the Web) Forward
- What the AST ?
- What is an Abstract Syntax Tree? (Nearform)
Articles written by NodeSecure core members:
⬅️ 🔐 Security: Common Security Breach | ➡️ 🔐 Security: Additional links and resources to read