Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Open Sources Website Scanning Tool ‘Sonar’

Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.

Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.

Developed by the Microsoft Edge team, Sonar has been made open source and donated to the JS Foundation. Microsoft will continue making improvements to the project, but external contributions are also welcome.

Linting is the process of analyzing code for potential errors. Sonar looks for a wide range of issues, including related to performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.Sonar open source tool

In the case of security, Sonar looks for eight types of weaknesses, including SSL configuration problems using SSL Labs’ SSL Server Test.

Another test looks for HTTPS connections that don’t use the Strict-Transport-Security header, which ensures that a website can only be accessed via secure connections to prevent man-in-the-middle (MitM) attacks.

Developers can also verify if their applications or sites are vulnerable to attacks that rely on MIME sniffing, which allows browsers to detect file formats even if the media type is incorrect. While MIME sniffing has benefits, it also introduces some security risks, which can be mitigated if the website uses the X-Content-Type-Options: nosniff HTTP response header.

Sonar also checks if the set-cookie header defines the Secure and HttpOnly attributes, which prevent session hijacking via cross-site scripting (XSS) attacks by ensuring that cookies cannot be transmitted over HTTP and their value cannot be accessed via JavaScript.

Another useful feature for security is Sonar’s ability to determine if a website is running a vulnerable client-side JavaScript library or framework. It does this by using Snyk’s Vulnerability DB and js-library-detector.

Sonar is also designed to ensure that headers don’t leak potentially sensitive data, and prevent unauthorized redirects that could lead users to malicious websites.

Sonar can be used locally as a command line tool, but an online version is also available. The tool can be integrated with several other products, including aXe Core, AMP validator, snyk.io, SSL Labs, and Cloudinary.

Related: Google, Spotify Release Open Source Cloud Security Tools

Related: Cisco Releases Open Source Malware Signature Generator

Related: Kaspersky Releases Open Source Digital Forensics Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.