Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.
Developed by the Microsoft Edge team, Sonar has been made open source and donated to the JS Foundation. Microsoft will continue making improvements to the project, but external contributions are also welcome.
Linting is the process of analyzing code for potential errors. Sonar looks for a wide range of issues, including related to performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.
In the case of security, Sonar looks for eight types of weaknesses, including SSL configuration problems using SSL Labs’ SSL Server Test.
Another test looks for HTTPS connections that don’t use the Strict-Transport-Security header, which ensures that a website can only be accessed via secure connections to prevent man-in-the-middle (MitM) attacks.
Developers can also verify if their applications or sites are vulnerable to attacks that rely on MIME sniffing, which allows browsers to detect file formats even if the media type is incorrect. While MIME sniffing has benefits, it also introduces some security risks, which can be mitigated if the website uses the X-Content-Type-Options: nosniff HTTP response header.
Sonar also checks if the set-cookie header defines the Secure and HttpOnly attributes, which prevent session hijacking via cross-site scripting (XSS) attacks by ensuring that cookies cannot be transmitted over HTTP and their value cannot be accessed via JavaScript.
Another useful feature for security is Sonar’s ability to determine if a website is running a vulnerable client-side JavaScript library or framework. It does this by using Snyk’s Vulnerability DB and js-library-detector.
Sonar is also designed to ensure that headers don’t leak potentially sensitive data, and prevent unauthorized redirects that could lead users to malicious websites.
Sonar can be used locally as a command line tool, but an online version is also available. The tool can be integrated with several other products, including aXe Core, AMP validator, snyk.io, SSL Labs, and Cloudinary.
Related: Google, Spotify Release Open Source Cloud Security Tools
Related: Cisco Releases Open Source Malware Signature Generator
Related: Kaspersky Releases Open Source Digital Forensics Tool
