On Detecting and Measuring Exploitable JavaScript Functions in Real-world Applications
Article No.: 8, Pages 1 - 37
Abstract
JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise, as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem if the function cannot be triggered with exploitable inputs. In this article, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project). We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS). With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1,892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities. By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclosed all verified findings to project owners. We also obtained 25 published CVEs for our findings, 19 of them rated as “Critical” severity and six rated as “High” severity. Additionally, we obtained 169 CVEs that are currently “Reserved” (as of Apr. 2023). As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to the function level and thus improve the accuracy of detection and aid timely patching.
References
[1]
1e0ng. 2020. SimHash. Retrieved from https://github.com/1e0ng/SimHash
[2]
AcornJS. 2012. Acorn: A Tiny, Fast JavaScript Parser. Retrieved from https://github.com/acornjs/acorn
[3]
Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Mouafak Mkhallalati. 2021. On the use of dependabot security pull requests. In MSR’21. 254–265.
[4]
Andrew Smith. 2021. Content Spoofing. Retrieved from https://owasp.org/www-community/attacks/Content_Spoofing
[5]
Jeremy Ashkenas. 2009. Underscore.js. Retrieved from https://github.com/jashkenas/underscore
[6]
Babel. 2020. Babel progress on ECMAScript proposals. Retrieved from https://github.com/babel/proposals
[7]
Balderdash Design Co.2012. Sails.js: The MVC Framework for Node.js. Retrieved from https://sailsjs.com/
[8]
Ira Baxter, Andrew Yahin, Leonardo de Moura, Marcelo Sant’Anna, and Lorraine Bier. 1998. Clone detection using abstract syntax trees. In ICSM’98. 368–377.
[9]
Fabian Beuke. 2021. GitHub Language Statistics. Retrieved from https://madnight.github.io/githut/#/pull_requests/2021/1
[10]
Benjamin Bowman and H. Howie Huang. 2020. VGRAPH: A robust vulnerable code clone detection system using code property triplets. In IEEE EuroS&P’20. 53–69.
[11]
BuiltWith.com. 2022. AngularJS Usage Statistics. Retrieved from https://trends.builtwith.com/javascript/Angular-JS
[12]
BuiltWith.com. 2022. SailsJS Usage Statistics. Retrieved from https://trends.builtwith.com/framework/SailsJS
[13]
Caolan McMahon. 2011. Async. Retrieved from https://caolan.github.io/async/v3/
[14]
Caolan McMahon. 2014. Highland: The High-level Streams Library for Node.js and the Browser. Retrieved from https://caolan.github.io/highland/
[15]
Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for linux-based embedded firmware. In NDSS Symposium.
[16]
Wai Cheung, Sukyoung Ryu, and Sunghun Kim. 2015. Development nature matters: An empirical study of code clones in JavaScript applications. Empir. Softw. Eng. 21 (Mar.2015), 517–564.
[17]
Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, and Kenichi Matsumoto. 2021. Lags in the release, adoption, and propagation of NPM vulnerability fixes. Empir. Softw. Eng. 26 (May2021).
[18]
Bodin Chinthanet, Serena Elisa Ponta, Henrik Plate, Antonino Sabetta, Raula Gaikovina Kula, Takashi Ishio, and Kenichi Matsumoto. 2020. Code-based vulnerability detection in node.js applications: How far are we? In ASE’20. 1199–1203.
[19]
CodeQL. 2019. CodeQL: About Data Flow Analysis. Retrieved from https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/
[20]
Dan Hubbard. 2016. Cisco Umbrella 1 Million. Retrieved from https://umbrella.cisco.com/blog/cisco-umbrella-1-million
[21]
Jamie Davis. 2018. Detect Vulnerable Regexes in your Project. Retrieved from https://github.com/davisjam/vuln-regex-detector
[22]
Jos de Jong. 2013. Ducktype. Retrieved from https://github.com/josdejong/ducktype
[23]
Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the NPM package dependency network. In MSR’18. ACM, 181–191.
[24]
Cypress Data Defense. 2020. Differences Between Static Code Analysis and Dynamic Testing. Retrieved from https://www.cypressdatadefense.com/blog/static-and-dynamic-code-analysis/
[25]
Ben Dickson. 2020. Prototype Pollution: The Dangerous and Underrated Vulnerability Impacting JavaScript Applications. Retrieved from https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications
[26]
Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security’12. 523–538.
[27]
Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards measuring supply chain attacks on package managers for interpreted languages. In NDSS’21.
[28]
Escomplex. 2015. Escomplex: Software Complexity Analysis of JavaScript Abstract Syntax Trees. Retrieved from https://github.com/escomplex/escomplex
[29]
Chunrong Fang, Zixi Liu, Yangyang Shi, Jeff Huang, and Qingkai Shi. 2020. Functional code clone detection with syntax and semantics fusion learning. In ISSTA’20. 516–527.
[30]
Rudolf Ferenc, Péter Hegedüs, Péter Gyimesi, Gábor Antal, Dénes Bán, and Tibor Gyimóthy. 2019. Challenging machine learning algorithms in predicting vulnerable JavaScript functions. In RAISE@ICSE’19. 8–14.
[31]
OpenJS Foundation. 2014. Espree. Retrieved from https://www.npmjs.com/package/espree
[32]
GitHub. 2019. CodeQL, Semantic Code Analysis Engine. Retrieved from https://codeql.github.com/
[33]
Google. 2010. AngularJS. Retrieved from https://angularjs.org/
[34]
Google. 2019. The Vulnerable Code Database (Vulncode-DB). Retrieved from https://www.vulncode-db.com
[35]
Gravatar.com. 2007. Gravatar. Retrieved from https://en.gravatar.com/
[36]
James Halliday. 2013. Minimist. Retrieved from https://www.npmjs.com/package/minimist
[37]
hapi.js team. 2014. @hapi/subtext. Retrieved from https://github.com/hapijs/subtext
[38]
Jordan Harband. 2014. QS, a Query String Parsing and Stringifying Library. Retrieved from https://github.com/ljharb/qs
[39]
Xiaoyu He, Xiaofei Xie, Yuekang Li, Jianwen Sun, Feng Li, Wei Zou, Yang Liu, Lei Yu, Jianhua Zhou, Wenchang Shi, and Wei Huo. 2021. SoFi: Reflection-augmented fuzzing for JavaScript engines. In ACM CCS’21. 2229–2242.
[40]
Ariya Hidayat. 2012. ECMAScript Parsing Infrastructure for Multipurpose Analysis. Retrieved from https://esprima.org/
[41]
Chaojian Hu, Zhoujun Li, Jinxin Ma, Tao Guo, and Zhiwei Shi. 2012. File parsing vulnerability detection with symbolic execution. In TASE’12. 135–142.
[42]
Han HyungSeok, Oh DongHyeon, and Kil Cha Sang. 2019. CodeAlchemist: Semantics-aware code generation to find vulnerabilities in JavaScript engines. In NDSS’19.
[43]
IBM. 2015. The T. J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net
[44]
GitHub Inc.2017. GitHub Advisory Database. Retrieved from https://github.com/advisories
[45]
Schema inspector team. 2014. Schema-inspector. Retrieved from https://github.com/schema-inspector/schema-inspector
[46]
James Halliday. 2013. saferegex. Retrieved from https://github.com/substack/safe-regex
[47]
Jiyong Jang, Maverick Woo, and David Brumley. 2012. ReDeBug: Finding unpatched code clones in entire OS distributions. IEEE Sympos. Secur. Priv. 37, 6 (May2012), 48–62.
[48]
Christopher Jeffrey. 2011. Marked. Retrieved from https://github.com/markedjs/marked
[49]
Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and Stéphane Glondu. 2007. DECKARD: Scalable and accurate tree-based detection of code clones. In ICSE’07. 96–105.
[50]
Matthieu Jimenez, Yves Le Traon, and Mike Papadakis. 2018. Enabling the continuous analysis of security vulnerabilities with VulData7. In IEEE SCAM’18. 56–61.
[51]
Joern. 2019. Joern - The Bug Hunter’s Workbench. Retrieved from joern.io
[52]
Joernio. 2021. AST Generator. Retrieved from https://github.com/joernio/astgen
[53]
John-David Dalton. 2009. Lodash. Retrieved from https://www.npmjs.com/package/lodash
[54]
John-David Dalton. 2009. Lodash: A Modern JavaScript Utility Library. Retrieved from https://lodash.com/
[55]
Toshihiro Kamiya, Shinji Kusumoto, and Katsuro Inoue. 2002. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. IEEE Trans. Softw. Eng. 28, 7 (2002), 654–670.
[56]
Zifeng Kang, Song Li, and Yinzhi Cao. 2022. Probe the proto: Measuring client-side prototype pollution vulnerabilities of one million real-world websites. In NDSS’22.
[57]
Rezwana Karim, Frank Tip, Alena Sochůrková, and Koushik Sen. 2020. Platform-independent dynamic taint analysis for JavaScript. IEEE Trans. Softw. Eng. 46, 12 (Oct.2020), 1364–1379.
[58]
Kestrel Technology. 2020. CodeHawk Tool Suite. Retrieved from https://github.com/static-analysis-engineering/codehawk
[59]
Hee Kim, Ji Kim, Ho Oh, Beom Lee, Si Mun, Jeong Shin, and Kyounggon Kim. 2022. DAPP: Automatic detection and analysis of prototype pollution vulnerability in node.js modules. Int. J. Inf. Secur. 21 (Feb.2022), 1–23.
[60]
Seokmo Kim, R. Kim, and Young Park. 2016. Software vulnerability detection methodology combined with static and dynamic analysis. Wirel. Person. Commun. 89 (Aug.2016), 1–17.
[61]
Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. 2017. VUDDY: A scalable approach for vulnerable code clone discovery. In IEEE S&P’17. 595–614.
[62]
James Kirrage, Asiri Rathnayake Mudiyanselage, and Hayo Thielecke. 2013. Static analysis for regular expression denial-of-service attacks. In NSS’13. 135–148.
[63]
Maryna Kluban, Mohamman Mannan, and Amr Youssef. 2022. On measuring vulnerable JavaScript functions in the wild. In ASIA CCS’22.
[64]
Aditya Kurniawan, Bahtiar Saleh Abbas, Agung Trisetyarso, and Sani Muhammad Isa. 2018. Static taint analysis traversal with object oriented component for web file injection vulnerability pattern detection. Procedia Comput. Sci. 135 (2018), 596–605. Retrieved from https://www.sciencedirect.com/science/article/pii/S1877050918315230
[65]
Hongzhe Li, Hyuckmin Kwon, Jonghoon Kwon, and Heejo Lee. 2016. CLORIFI: Software vulnerability discovery using code clone verification. Concurr. Comput.: Pract. Exper. 28, 6 (May2016), 1900–1917.
[66]
Jingyue Li and Michael D. Ernst. 2012. CBCD: Cloned buggy code detector. In ICSE’12. 310–320.
[67]
Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2021. Detecting node.Js prototype pollution vulnerabilities via object lookup analysis. In ESEC/FSE’21. 268–279.
[68]
Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao. 2022. Mining node.js vulnerabilities via object dependence graph and query. In USENIX Security’22.
[69]
Yeting Li, Zixuan Chen, Jialun Cao, Zhiwu Xu, Qiancheng Peng, Haiming Chen, Liyuan Chen, and Shing-Chi Cheung. 2021. ReDoSHunter: A combined static and dynamic approach for regular expression DoS detection. In USENIX Security’21. 3847–3864.
[70]
Yinxi Liu, Mingxue Zhang, and Wei Meng. 2021. Revealer: Detecting and exploiting regular expression denial-of-service vulnerabilities. In IEEE S&P’21. 1468–1484.
[71]
Veracode LLC. 2006. Veracode Static Analysis. Retrieved from https://www.veracode.com/products/binary-static-analysis-sast
[72]
Abdalla Wasef Marashdih, Zarul Fitri Zaaba, and Khaled Suwais. 2023. An enhanced static taint analysis approach to detect input validation vulnerability. J. King Saud Unive. - Comput. Inf. Sci. 35, 2 (2023), 682–701.
[73]
Sebastian McKenzie. 2014. Babel, the JavaScript Compiler. Retrieved from https://babeljs.io/
[74]
Robert McLaughlin, Fabio Pagani, Noah Spahn, Christopher Kruegel, and Giovanni Vigna. 2022. Regulator: Dynamic analysis to detect ReDoS. In USENIX Security’22.
[75]
Nikita Mehrotra, Navdha Agarwal, Piyush Gupta, Saket Anand, David Lo, and Rahul Purandare. 2021. Modeling functional similarity in source code with graph-based siamese networks. IEEE Trans. Softw. Eng. (Aug.2021).
[76]
Tomás Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. In ICLR’13.
[77]
MITRE. 2006. Common Weakness Enumeration. Retrieved from https://cwe.mitre.org/
[78]
MITRE. 2021. Common Vulnerabilities and Exposures. Retrieved from https://cve.mitre.org/
[79]
Balázs Mosolygó, Norbert Vándor, Gábor Antal, Péter Hegedűs, and Rudolf Ferenc. 2021. Towards a prototype based explainable JavaScript vulnerability prediction model. In ICCQ. 15–25.
[80]
Mozilla. 2021. Polyfill. Retrieved from https://developer.mozilla.org/en-US/docs/Glossary/Polyfill
[81]
James Newsome, David Brumley, Jason Franklin, and Dawn Song. 2006. Replayer: Automatic protocol replay by binary analysis. In ACM CCS’06. 311–321.
[82]
npm. 2010. Node Package Registry. Retrieved from https://www.npmjs.com/
[83]
npm. 2018. The Node Security Platform Service is Shutting Down. Retrieved from https://blog.npmjs.org/post/175511531085/insert-title-here.html
[84]
Chris O’Hara. 2018. Validator.js. Retrieved from https://github.com/validatorjs/validator.js
[85]
OSA 2018. OpenStaticAnalyzer. Retrieved from https://openstaticanalyzer.github.io/
[86]
The Node Security Platform. 2017. ESLint Security Plugin. Retrieved from https://www.npmjs.com/package/eslint-plugin-security
[87]
Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco—A research-oriented top sites ranking hardened against manipulation. In NDSS’19.
[88]
PortSwigger.net. 2021. DOM-based Open Redirection. Retrieved from https://portswigger.net/web-security/dom-based/open-redirection
[89]
Niels Provos. 2015. A JavaScript-based DDoS Attack as Seen by Safe Browsing. Retrieved from https://security.googleblog.com/2015/04/a-javascript-based-ddos-attack-as-seen.html
[90]
Andris Reinman. 2014. NODEMAILER, Send Emails from Node.js – Easy as Cake! Retrieved from https://nodemailer.com/
[91]
Rebecca Russell, Louis Kim, Lei Hamilton, Tomo Lazovich, Jacob Harer, Onur Ozdemir, Paul Ellingwood, and Marc McConley. 2018. Automated vulnerability detection in source code using deep representation learning. In ICMLA’18. 757–762.
[92]
SonarSource S.A. 2008. SonarCube: Code Security, for Developers. Retrieved from https://www.sonarqube.org/features/security/
[93]
Hitesh Sajnani, Vaibhav Saini, Jeffrey Svajlenko, Chanchal K. Roy, and Cristina V. Lopes. 2016. SourcererCC: Scaling code clone detection to big-code. In ICSE’16. 1157–1168.
[94]
Raimondas Sasnauskas and John Regehr. 2014. Intent fuzzer: Crafting intents of death. In WODA+PERTEA’14. 1–5.
[95]
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010. A symbolic execution framework for JavaScript. In IEEE S&P’10. 513–528.
[96]
Scott Sauyet, Buzz de Cafe. 2020. Ramda. Retrieved from https://ramdajs.com/
[97]
Semgrep.dev. 2020. Semgrep–Find Bugs and Enforce Code Standards. Retrieved from https://semgrep.dev/docs/
[98]
Koushik Sen, Swaroop Kalasapur, Tasneem G. Brutch, and Simon J. Gibbs. 2013. Jalangi: A selective record-replay and dynamic analysis framework for JavaScript. In ESEC/FSE’13. 488–498.
[99]
Mikhail Shcherbakov, Musard Balliu, and Cristian-Alexandru Staicu. 2023. Silent spring: Prototype pollution leads to remote code execution in node.js. In USENIX Security’23.
[100]
Sheetjs LLC. 2012. SheetJS Community Edition – Spreadsheet Data Toolkit. Retrieved from https://github.com/SheetJS/sheetjs/
[101]
Yuju Shen, Yanyan Jiang, Chang Xu, Ping Yu, Xiaoxing Ma, and Jian Lu. 2018. ReScue: Crafting regular expression DoS attacks. In ACM/IEEE ASE’18. 225–235.
[102]
Abdullah Sheneamer and Jugal Kalita. 2016. Semantic clone detection using machine learning. In IEEE Conference on Machine Learning and Applications. 1024–1028.
[103]
Snyk.io. 2015. Snyk Vulnerability Database. Retrieved from https://snyk.io/product/vulnerability-database/
[104]
Snyk.io. 2018. GitHub Snyk Vulnerability Database. Retrieved from https://github.com/snyk/vulnerabilitydb
[105]
Snyk.io. 2018. Prototype Pollution in merge, mergeWith, and defaultsDeep, Lodash. Retrieved from https://snyk.io/vuln/SNYK-DOTNET-LODASH-540455
[106]
Snyk.io. 2019. Prototype Pollution in defaultsDeep, Lodash. Retrieved from https://snyk.io/vuln/SNYK-DOTNET-LODASH-540457
[107]
Snyk.io. 2020. Prototype Pollution in set/setWith, Lodash. Retrieved from https://snyk.io/vuln/SNYK-JS-LODASH-608086
[108]
Snyk.io. 2020. Prototype Pollution in zipObjectDeep, Lodash. Retrieved from https://snyk.io/vuln/SNYK-JS-LODASH-590103
[109]
Softwaretestinghelp.com. 2021. JavaScript Injection Tutorial: Test and Prevent JS Injection Attacks on Website. Retrieved from https://www.softwaretestinghelp.com/javascript-injection-tutorial/
[110]
Xiaonan Song, Aimin Yu, Haibo Yu, Shirun Liu, Xin Bai, Lijun Cai, and Dan Meng. 2020. Program slice based vulnerable code clone detection. In IEEE TrustCom’20. 293–300.
[111]
Stackoverflow.com. 2020. Developer Survey. Retrieved from https://insights.stackoverflow.com/survey/2020#most-popular-technologies
[112]
Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the web: A study of ReDoS vulnerabilities in JavaScript-based web servers. In USENIX Security’18. 361–376.
[113]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS. 1–16.
[114]
Bryan Sullivan. 2010. SDL Regex Fuzzer. Retrieved from https://www.microsoft.com/security/blog/2010/10/12/new-tool-sdl-regex-fuzzer/
[115]
Superhuman Labs. 2016. RXXR2 Regular Expression Static Analyzer. Retrieved from https://github.com/superhuman/rxxr2
[116]
Yargs team. 2016. yargs-parser. Retrieved from https://github.com/yargs/yargs-parser
[117]
Nikolai Tillmann and Jonathan de Halleux. 2008. Pex–White box test generation for .NET. In TAP’08. 134–153.
[118]
Michele Tufano, Cody Watson, Gabriele Bavota, Massimiliano Di Penta, Martin White, and Denys Poshyvanyk. 2018. Deep learning similarities from different representations of source code. In MSR’18. 542–553.
[119]
Tijana Vislavski, Gordana Rakic, Nicolás Cardozo, and Zoran Budimac. 2018. LICCA: A tool for cross-language clone detection. In IEEE SANER’18. 512–516.
[120]
W3Techs. 2021. Usage Statistics of JavaScript as Client-side Programming Language on Websites. Retrieved from https://w3techs.com/technologies/details/cp-javascript
[121]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In IEEE S&P’10. 497–512.
[122]
Nicolaas Weideman, Brink Van Der Merwe, Martin Berglund, and Bruce Watson. 2016. Analyzing matching time behavior of backtracking regular expression matchers by using ambiguity of NFA. In Implementation and Application of Automata. Springer, 322–334.
[123]
Adar Weidman. 2019. Regular Expression Denial of Service - ReDoS. Retrieved from https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
[124]
Fabian Yamaguchi, Nico Golde, Daniel Arp, and Konrad Rieck. 2014. Modeling and discovering vulnerabilities with code property graphs. In IEEE S&P’14. 590–604.
[125]
Yeoman team. 2012. grunt-usemin. Retrieved from https://www.npmjs.com/package/grunt-usemin/
[126]
Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards smoother library migrations: A look at vulnerable dependency migrations at function level for NPM JavaScript Packages. In IEEE ICSME’18. 559–563.
[127]
Ahmed Zerouali, Valerio Cosentino, Tom Mens, Gregorio Robles, and Jesús M. González-Barahona. 2019. On the impact of outdated and vulnerable JavaScript packages in docker images. In IEEE SANER’19. 619–623.
[128]
Matt Zeunert. 2016. FromJS. Retrieved from https://www.fromjs.com/
[129]
Minmin Zhou, Jinfu Chen, Yisong Liu, Hilary Ackah-Arthur, Shujie Chen, Qingchen Zhang, and Zhifeng Zeng. 2019. A method for software vulnerability detection based on improved control flow graph. Wuhan Univ. J. Natur. Sci. 24 (Apr.2019), 149–160.
[130]
Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In NIPS’19. 10197–10207.
[131]
Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, and Michael Pradel. 2019. Small world with high risks: A study of security threats in the NPM ecosystem. In USENIX Security’19. 995–1010.
Index Terms
- On Detecting and Measuring Exploitable JavaScript Functions in Real-world Applications
Recommendations
On Measuring Vulnerable JavaScript Functions in the Wild
ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications SecurityJavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications, and is currently used in almost all websites. Because of its popularity, JavaScript has become a frequent target for ...
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine LearningCross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
Fuzz testing has proven successful in finding security vulnerabilities in large programs. However, traditional fuzz testing tools have a well-known common drawback: they are ineffective if most generated inputs are rejected at the early stage of program ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
February 2024
369 pages
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 February 2024
Online AM: 26 October 2023
Accepted: 20 October 2023
Revised: 16 April 2023
Received: 03 August 2022
Published in TOPS Volume 27, Issue 1
Check for updates
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 587Total Downloads
- Downloads (Last 12 months)581
- Downloads (Last 6 weeks)98
Reflects downloads up to 18 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in