Web application penetration testing with Source Maps

What is a Source Map?

Modern web applications can include large quantities of JavaScript (JS) and Cascading Style Sheets (CSS) to enable a great user experience. We all appreciate a slick web app, and these technologies are significant components for achieving that.

When web applications have large amounts of JS and CSS, the web developer will often consider how to deal with two side-effects of having all this code:

  • the speed the application loads and the level of expectation from the user
  • the cost and load of transferring all that extra code across the Internet

To help combat this, developers will often “minify” their code. Minification is the process of removing as much as possible from the code, including long variable names and superfluous white space. This practice reduces transmission across the Internet, improves loading times, and lowers costs.

There are a few ways to achieve minification. One such method is to write using another language, such as TypeScript or CoffeeScript, which gets used to machine-generate the code sent to the user’s browser.
Source Maps are a converter that takes minified code and returns it to the complete state of the original code. Using a Source Map means that the code becomes human-readable again.

Why do Source Maps matter to Penetration Testers?

When performing a cyber security assessment of a modern web application, it can often be crucial to fully understand how the code behaves within the user’s web browser. It can be challenging to understand minified code, especially when identifying security flaws.

It is not unreasonable to suggest that the developers could send a copy of the original code to the penetration tester, but this would be stand-alone code not processed alongside the rest of the web application. The original code is rebuilt and can be read and understood using Source Maps. Crucially, this is also then possible within the web browser. Having the original code within the browser allows the penetration tester to understand the inner mechanics of the code during execution.

It is possible to complete the work without the Source Maps as the executed code is still present. However, it will likely just take more time to complete the task. With all of this in mind, we recommend that Source Maps are shared with penetration testers to ensure they have as comprehensive visibility of the web application as possible. There is also the question about allowing Source Maps to be available publicly. The context of the web application will dictate whether providing Source Maps openly to the public is acceptable. However, most developers are cautious on this matter and only provide them if there is a justifiable reason.

This entry was posted in Uncategorized. Bookmark the permalink.