On Detecting and Measuring Exploitable JavaScript Functions in Real-World Applications

IF 3 4区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS ACM Transactions on Privacy and Security Pub Date : 2023-10-26 DOI:10.1145/3630253

Maryna Kluban, Mohammad Mannan, Amr Youssef

{"title":"On Detecting and Measuring Exploitable JavaScript Functions in Real-World Applications","authors":"Maryna Kluban, Mohammad Mannan, Amr Youssef","doi":"10.1145/3630253","DOIUrl":null,"url":null,"abstract":"JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem, if the function cannot be triggered with exploitable inputs. In this paper, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project). We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS). With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities. By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclosed all verified findings to project owners. We also obtained 25 published CVEs for our findings, 19 of them rated as “Critical” severity, and six rated as “High” severity. Additionally, we obtained 169 CVEs that are currently “Reserved” (as of Apr. 2023). As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to the function level, and thus improve the accuracy of detection and aid timely patching.","PeriodicalId":56050,"journal":{"name":"ACM Transactions on Privacy and Security","volume":null,"pages":null},"PeriodicalIF":3.0000,"publicationDate":"2023-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Privacy and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3630253","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first. Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem, if the function cannot be triggered with exploitable inputs. In this paper, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project). We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS). With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities. By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclosed all verified findings to project owners. We also obtained 25 published CVEs for our findings, 19 of them rated as “Critical” severity, and six rated as “High” severity. Additionally, we obtained 169 CVEs that are currently “Reserved” (as of Apr. 2023). As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to the function level, and thus improve the accuracy of detection and aid timely patching.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

关于在实际应用中检测和测量可利用的JavaScript函数

JavaScript通常被认为是开发客户端和服务器端应用程序最流行的编程语言。由于其受欢迎程度，JavaScript已经成为攻击者利用源代码中的漏洞来控制应用程序的常见目标。要解决这些JavaScript安全问题，必须首先确定这些漏洞。现有的JavaScript漏洞代码检测研究主要考虑包级漏洞跟踪和度量。然而，这种包级分析在很大程度上是不精确的，因为包含易受攻击包的实际服务可能不会使用包中的易受攻击功能。此外，如果不能使用可利用的输入触发该功能，即使包含易受攻击的功能也可能不会导致安全问题。在本文中，我们开发了一个漏洞检测框架，利用漏洞模式识别和文本相似度方法检测真实JavaScript项目中的漏洞函数，并结合静态多文件污染分析机制，进一步评估漏洞对整个项目的影响(即在给定项目中是否可以利用漏洞)。我们使用Snyk漏洞数据库和VulnCode-DB项目组成了1360个经过验证的脆弱JavaScript函数的综合数据集。根据这个基本事实数据集，我们为两种常见的漏洞类型构建了漏洞模式:原型污染和正则表达式拒绝服务(ReDoS)。利用我们的框架，我们分析了9,205,654个函数(来自3,000个NPM包，1892个网站和557个Chrome Web扩展)，并检测出117,601个原型污染和7,333个ReDoS漏洞。通过使用污染分析仪进一步处理NPM包中的所有5839个发现，我们验证了134个NPM包中290个零日漏洞的可利用性。此外，我们对17个流行/关键项目的调查结果进行了深入的上下文分析，并研究了20个功能的实际安全暴露。通过我们的半自动漏洞报告功能，我们向项目所有者披露了所有经过验证的发现。我们还为我们的发现获得了25个已发表的cve，其中19个被评为“关键”严重性，6个被评为“高”严重性。此外，我们获得了169个目前“保留”的cve(截至2023年4月)。从结果可以看出，我们的方法可以将JavaScript漏洞检测从粗包/库级别转移到函数级别，从而提高检测的准确性并有助于及时修补。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

ACM Transactions on Privacy and Security Computer Science-General Computer Science

CiteScore

5.20

自引率

0.00%

发文量

期刊介绍： ACM Transactions on Privacy and Security (TOPS) (formerly known as TISSEC) publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.