Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Open Sources Website Scanning Tool ‘Sonar’

Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.

Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.

Developed by the Microsoft Edge team, Sonar has been made open source and donated to the JS Foundation. Microsoft will continue making improvements to the project, but external contributions are also welcome.

Linting is the process of analyzing code for potential errors. Sonar looks for a wide range of issues, including related to performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.Sonar open source tool

In the case of security, Sonar looks for eight types of weaknesses, including SSL configuration problems using SSL Labs’ SSL Server Test.

Another test looks for HTTPS connections that don’t use the Strict-Transport-Security header, which ensures that a website can only be accessed via secure connections to prevent man-in-the-middle (MitM) attacks.

Developers can also verify if their applications or sites are vulnerable to attacks that rely on MIME sniffing, which allows browsers to detect file formats even if the media type is incorrect. While MIME sniffing has benefits, it also introduces some security risks, which can be mitigated if the website uses the X-Content-Type-Options: nosniff HTTP response header.

Sonar also checks if the set-cookie header defines the Secure and HttpOnly attributes, which prevent session hijacking via cross-site scripting (XSS) attacks by ensuring that cookies cannot be transmitted over HTTP and their value cannot be accessed via JavaScript.

Another useful feature for security is Sonar’s ability to determine if a website is running a vulnerable client-side JavaScript library or framework. It does this by using Snyk’s Vulnerability DB and js-library-detector.

Sonar is also designed to ensure that headers don’t leak potentially sensitive data, and prevent unauthorized redirects that could lead users to malicious websites.

Advertisement. Scroll to continue reading.

Sonar can be used locally as a command line tool, but an online version is also available. The tool can be integrated with several other products, including aXe Core, AMP validator, snyk.io, SSL Labs, and Cloudinary.

Related: Google, Spotify Release Open Source Cloud Security Tools

Related: Cisco Releases Open Source Malware Signature Generator

Related: Kaspersky Releases Open Source Digital Forensics Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.