Log in
JavaScript conferences
JSNation Live 2021JSNation Live 2021
Talk Videos

Automated Security Testing for JS Apps & Underlying APIs

Scott Gerlach
Scott Gerlach
StackHawk
Rate this content
Bookmark

With StackHawk, engineering teams can run security tests against JS applications and the backing APIs to find and fix vulnerabilities fasters. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder Scott Gerlach for a quick overview of JS application security testing with StackHawk.

FAQ

StackHawk is a dynamic application security testing tool designed to test running HTTP applications, including applications and APIs like REST APIs, GraphQL, server-side HTML, and single-page applications.

StackHawk is built for automation in CI/CD environments, allowing it to be integrated into most CI/CD systems as it is Docker-based. Users can configure the scanner to break builds based on the severity of security issues found.

Yes, StackHawk can be run on your localhost during the coding and testing phases, allowing developers to identify and fix security vulnerabilities before moving to production.

StackHawk supports application and API security testing, including REST APIs, GraphQL, server-side HTML, and single-page applications. It leverages available specifications and introspections to guide its testing.

StackHawk provides detailed reports of security vulnerabilities, showing the criticality, issue type, and the path. It also includes the request-response pair that generated the issue and offers a cURL command for recreation and further investigation.

To configure a StackHawk scan, you need to specify the application ID, the host environment, and the environment type. Additional configurations can be set for authentication, paths to ignore, and specifications for API endpoints.

StackHawk offers integrations with major CI/CD tools, JIRA Cloud for issue tracking, and Slack for notifications about scan progress and findings.

Yes, StackHawk can identify various security vulnerabilities including SQL injection issues, and provides tools to help developers trace and fix such vulnerabilities in their code.

securitysecurity testing
Scott Gerlach
Scott Gerlach
8 min
10 Jun, 2021

Comments

Sign in or register to post your comment.

Video Summary and Transcription

StackHawk is a dynamic application security testing tool that helps find and fix security vulnerabilities. It integrates with your engineering stack and works with popular players in CICD. The DAST scanner crawls your application, tests it, and provides a summary of the findings, including cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.

Available in Español: Pruebas de seguridad automatizadas para aplicaciones JS y APIs subyacentes

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool. It scans your application, runs anywhere, and helps you find and fix security vulnerabilities. The Stackhawk platform presents the criticality of an issue, the issue type, the path, and the request-response pair that generated the issue. It integrates with your engineering stack and works with popular players in CICD. Let's jump into a quick demo to see how Stackhawk works.

What's up, JSNationLive. Scott Gerlach, co-founder and CSO of StackHawk here. Thanks for taking time to check out what StackHawk has to offer.

Real quick, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications. That's application and API security testing, REST APIs, GraphQL, server-side HTML, and single-page apps.

StackHawk was built for automation in CICD. Makes finding and fixing security vulnerabilities very, very simple.

A little bit of how it works. First of all, it scans your application, and by scans your application we mean it runs anywhere. You can run it on your local host while you're writing code, testing your application, back that up in CICD, test your application there before you push it to prod, and then, again, if you want to, you can run it in prod.

It's built to scan those modern applications, like I mentioned, server-side HTML, single-page apps, REST API, where you have an open API spec, and GraphQL, where you have GraphQL introspection queries turned on. All of those things help inform the scanner as to how to do a good job testing your application for security vulnerabilities.

Once the test is all done, it does a really good job of showing you where those problems are found and potentially how to fix them. Finding and fixing those security issues is super simple with the Stackhawk platform.

The Stackhawk platform presents you with the criticality of an issue, the issue type, the path, and the request-response pair that actually generated the issue. The other thing that's really awesome about the Stackhawk platform is there's a curl recreation of that finding. So there's a curl command that you can copy and paste and run the same attack that the scanner did against your application to be able to just put your application in debug mode, step through that code, and quickly find where you may have made a mistake.

All of that is set up for CICD and you can break your build. You can set up the Stackhawk scanner to exit non-zero if it finds an issue of a severity type, medium or higher, high or high or higher, low or higher, all of those things are totally configurable in the Stackhawk platform. It does not do that natively. You can configure that for your own work.

Stackhawk integrates with your engineering stack. As you can see, I've got icons from some of the major popular players in CICD. Stackhawk works with all of them. Because it's Docker based, if your CICD system can run Docker, it can run Stackhawk.

Let's jump into a quick demo to see how Stackhawk works. Here you can see I've got my vulnerable Django application. This is just a basic Django application, so server side HTML, and I'm testing it with my Stackhawk scanner. The way that looks is I've got a simple Docker command, docker run stackhawk hawkscan.

2. StackHawk Configuration and Scanning

Short description:

The DAST scanner crawls your application, tests it, and provides a summary of the findings. It identifies cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.

I've got the configuration file, which we're going to take a look at next. And what happens is the DAST scanner crawls your application, looking for interesting things to test, and then tests it. Once that's done, you get a simple summary of what's happening, what Stackhawk found. So here you can see I've got a cross-site scripting issue, a SQL injection issue, and some lower issues. We'll focus on those highs for today. At the very bottom of this, I've got a link back to the Stackhawk platform. This is exactly the same output you'd get in CICD, so if you chose to break build in CICD, you'd have a link to be able to go triage these issues.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Feross Aboukhadijeh
Feross Aboukhadijeh
Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
securitynode.js
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Phil Nash
Phil Nash
DataStax
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
authenticationsecurity
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
Rafael Gonzaga
Rafael Gonzaga
NearForm & Technical Steering Committee, Brazil
All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about.
Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.
securitynode.js
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced Conference 2021React Advanced Conference 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
Liran Tal
Liran Tal
Snyk
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
reactsecurityxss
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
Liran Tal
Liran Tal
Snyk
React has a great security standard as default, but if you don’t pay close attention to the details you could get burned by some of the escape hatches APIs, or even by just passing props insecurely to components. I’ll teach you how to avoid these pitfalls.
reactcase studysecurity
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão
Lucas Estevão
Technical Manager and Principal UI Engineer.
In this talk, we'll explore the powerful security feature of Content Security Policy (CSP) and how it can be implemented in Next.js to bolster your website's defenses against common web attacks like Cross-Site Scripting (XSS) and data injection. We'll cover the basics of CSP, its benefits, and best practices for implementing it in Next.js. 
Additionally, we'll share some tools to evaluate and test your policy. By the end of this talk, you'll have a solid understanding of how to level up your website's security with CSP and protect your users from the ever-present threats of the modern web.
securitynext.jsreact 18

Workshops on related topic

API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
security testingtesting
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
web developmentauthenticationreactsecurity
Building out a meaningful test suite that's not all E2E
TestJS Summit 2023TestJS Summit 2023
89 min
Building out a meaningful test suite that's not all E2E
Workshop
David Burns
David Burns
We're all taught to follow the Testing Pyramid but the reality is that we build out the Testing Christmas Tree. In this workshop, David will talk you through how to break down projects and put the tests where they need to be. By the end of the workshop you will be able to update your projects so that anyone and everyone can start contributing and truly living up to "Quality is everyone job".
He will walk you through:- Component Testing- API Testing- Visual Regression Testing- A11Y testing
He will also talk you through how to get these all setup in your CI/CD pipeline so that you can get shorter and faster feedback loops.
e2e testingsecurity testingtesting
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
securitynode.js
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
npmjavascriptcase studysecuritynode.js
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
code qualitysecurityci cd