Login | Register

On Measuring JavaScript Vulnerabilities in the NPM Packages, Websites and Chrome Extensions


On Measuring JavaScript Vulnerabilities in the NPM Packages, Websites and Chrome Extensions

Kluban, Maryna (2022) On Measuring JavaScript Vulnerabilities in the NPM Packages, Websites and Chrome Extensions. Masters thesis, Concordia University.

[thumbnail of Kluban-MASc-F2022.pdf]
Text (application/pdf)
Kluban-MASc-F2022.pdf - Accepted Version
Available under License Spectrum Terms of Access.


JavaScript is often rated as the most popular programming language for the development of both client-side and server-side applications. Because of its popularity, JavaScript has become a frequent target for attackers, who exploit vulnerabilities in the source code to take control over the application. To address these JavaScript security issues, such vulnerabilities must be identified first.
Existing studies in vulnerable code detection in JavaScript mostly consider package-level vulnerability tracking and measurements. However, such package-level analysis is largely imprecise as real-world services that include a vulnerable package may not use the vulnerable functions in the package. Moreover, even the inclusion of a vulnerable function may not lead to a security problem, if the function cannot be triggered with exploitable inputs.
In this thesis, we develop a vulnerability detection framework that uses vulnerable pattern recognition and textual similarity methods to detect vulnerable functions in real-world JavaScript projects, combined with a static multi-file taint analysis mechanism to further assess the impact of the vulnerabilities on the whole project (i.e., whether the vulnerability can be exploited in a given project).
We compose a comprehensive dataset of 1,360 verified vulnerable JavaScript functions using the Snyk vulnerability database and the VulnCode-DB project. From this ground-truth dataset, we build our vulnerable patterns for two common vulnerability types: prototype pollution and Regular Expression Denial of Service (ReDoS).
With our framework, we analyze 9,205,654 functions (from 3,000 NPM packages, 1892 websites and 557 Chrome Web extensions), and detect 117,601 prototype pollution and 7,333 ReDoS vulnerabilities.
By further processing all 5,839 findings from NPM packages with our taint analyzer, we verify the exploitability of 290 zero-day cases across 134 NPM packages. In addition, we conduct an in-depth contextual analysis of the findings in 17 popular/critical projects and study the practical security exposure of 20 functions. With our semi-automated vulnerability reporting functionality, we disclose all verified findings to project owners. We also obtained four CVEs for our findings, two of them rated as 9.8/10 (critical) severity, one as 9.1/10 (critical), and one as 7.5/10 (high) severity; several other CVE requests are still in the process now. As evident from the results, our approach can shift JavaScript vulnerability detection from the coarse package/library level to the function level, and thus improve the accuracy of detection and aid timely patching.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Kluban, Maryna
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:April 2022
Thesis Supervisor(s):Mannan, Mohammad and Youssef, Amr
ID Code:991228
Deposited By: Maryna Kluban
Deposited On:27 Oct 2022 14:28
Last Modified:27 Oct 2022 14:28
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top