Study of Java']JavaScript Static Analysis Tools for Vulnerability Detection in Node.js']js Packages

被引:3
|
作者
Brito, Tiago [1 ]
Ferreira, Mafalda [1 ]
Monteiro, Miguel [1 ]
Lopes, Pedro [1 ]
Barros, Miguel [1 ]
Santos, Jose Fragoso [1 ]
Santos, Nuno [1 ]
机构
[1] Univ Lisbon, IST, INESC ID, P-1649004 Lisbon, Portugal
关键词
Automatic testing; computer security; static analysis;
D O I
10.1109/TR.2023.3286301
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
With the emergence of the Node.js ecosystem, JavaScript has become a widely used programming language for implementing server-side web applications. In this article, we present the first empirical study of static code analysis tools for detecting vulnerabilities in Node.js code. To conduct a comprehensive tool evaluation, we created the largest known curated dataset of Node.js code vulnerabilities. We characterized and annotated a set of 957 vulnerabilities by analyzing information contained in npm advisory reports. We tested nine different tools and found that many important vulnerabilities appearing in the OWASP top-10 are not detected by any tool. The three best performing tools combined only detect up to 57.6% of all vulnerabilities in the dataset, but at a very low precision of 0.11%. Our curated dataset offers a new benchmark to help characterize existing Node.js code vulnerabilities and foster the development of better vulnerability detection tools for Node.js code.
引用
收藏
页码:1324 / 1339
页数:16
相关论文
共 50 条
  • [1] Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages
    Brito, Tiago
    Ferreira, Mafalda
    Monteiro, Miguel
    Lopes, Pedro
    Barros, Miguel
    Santos, José Fragoso
    Santos, Nuno
    [J]. arXiv, 2023,
  • [2] Static Analysis of Event-Driven Node.js']js Java']JavaScript Applications
    Madsen, Magnus
    Tip, Frank
    Lhotak, Ondrej
    [J]. ACM SIGPLAN NOTICES, 2015, 50 (10) : 505 - 519
  • [3] NodeXP: NOde.js']js server-side Java']JavaScript injection vulnerability DEtection and eXPloitation
    Ntantogian, Christoforos
    Bountakas, Panagiotis
    Antonaropoulos, Dimitris
    Patsakis, Constantinos
    Xenakis, Christos
    [J]. JOURNAL OF INFORMATION SECURITY AND APPLICATIONS, 2021, 58
  • [4] Time-Travel Debugging for Java']JavaScript/Node.js']js
    Barr, Earl T.
    Marron, Mark
    Maurer, Ed
    Moseley, Dan
    Seth, Gaurav
    [J]. FSE'16: PROCEEDINGS OF THE 2016 24TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON FOUNDATIONS OF SOFTWARE ENGINEERING, 2016, : 1003 - 1007
  • [5] Server-side Web Development with Java']JavaScript and Node.js']js
    Ortiz, Ariel
    [J]. PROCEEDINGS OF THE 45TH ACM TECHNICAL SYMPOSIUM ON COMPUTER SCIENCE EDUCATION (SIGCSE'14), 2014, : 747 - 747
  • [6] Mutode: Generic Java']JavaScript and Node.js']js Mutation Testing Tool
    Rodriguez-Baquero, Diego
    Linares-Vasquez, Mario
    [J]. ISSTA'18: PROCEEDINGS OF THE 27TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON SOFTWARE TESTING AND ANALYSIS, 2018, : 372 - 375
  • [7] SPMP: A Java']JavaScript Support for Shared Persistent Memory on Node.js']js
    Zhang, Qipeng
    Li, Tianyou
    Deng, Pan
    Chen, Yuting
    Huang, Linpeng
    Rudoff, Andy
    [J]. ALGORITHMS AND ARCHITECTURES FOR PARALLEL PROCESSING, ICA3PP 2018, PT II, 2018, 11335 : 354 - 366
  • [8] Scaling Java']JavaScript Abstract Interpretation to Detect and Exploit Node.js']js Taint-style Vulnerability
    Kang, Mingqing
    Xu, Yichao
    Li, Song
    Gjomemo, Rigel
    Hou, Jianwei
    Venkatakrishnan, V. N.
    Cao, Yinzhi
    [J]. 2023 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, SP, 2023, : 1059 - 1076
  • [9] Node.js']js: Using Java']JavaScript to Build High-Performance Network Programs
    Tilkov, Stefan
    Vinoski, Steve
    [J]. IEEE INTERNET COMPUTING, 2010, 14 (06) : 80 - 83
  • [10] DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js']js modules
    Kim, Hee Yeon
    Kim, Ji Hoon
    Oh, Ho Kyun
    Lee, Beom Jin
    Mun, Si Woo
    Shin, Jeong Hoon
    Kim, Kyounggon
    [J]. INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 2022, 21 (01) : 1 - 23