Connect with us
X
Categories:

Technology

A JavaScript bug scanner using graphs finds more than 100 zero-day vulnerabilities in Node.js frameworks

Published

on

A JavaScript bug scanner using graphs finds more than 100 zero-day vulnerabilities in Node.js frameworks
Share this post:

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect a wide range of vulnerabilities in JavaScript programs.

Called ODGen, the tool was presented at this year’s Usenix Security Symposium and addresses some of the challenges that limited the use of graph-based security tools in analyzing JavaScript programs.

The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.

Graph-based methods

Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.

Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.

Inspired by the success of graph methods – particularly CPG – the researchers at Johns Hopkins University tried to apply them to JavaScript. While there are different tools for finding specific vulnerabilities in JavaScript code, graph-based tools promise to provide a general framework for detecting all kinds of vulnerabilities.

“JavaScript, particularly Node.js, is becoming a vital community with millions of packages these days,” Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University, told Daily Swig.

“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”

However, their initial findings showed that CPG is not very effective in JavaScript due to the language’s dynamic structure, which makes it much more difficult to parse and analyze object relations and program branches prior to execution.

“CPG does not model detailed object relations including (i) prototype chains and (ii) object-level data flows. Therefore, it is hard to apply CPG to detect JavaScript-specific vulnerabilities, such as Prototype Pollution and Internal Property Tampering. And it is hard to model fine-grained object-level data flows in CPG,” Cao said.

Object Dependence Graph

In their paper, the researchers propose Object Dependence Graph (ODG) as a novel method to build graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features that are specific to JavaScript, including fine-grained data dependency between objects. Accordingly, the researchers created ODGen, a tool for creating and querying ODGs.

RECOMMENDED  WordPress plugin security audit unearths dozens of vulnerabilities impacting 60,000 websites

“Our proposed ODGen abstractly interprets JavaScript code and generates a so-called Object Dependence Graph to capture such dynamic features including object relations so that a graph query-based approach can easily obtain such information and detect vulnerabilities,” Cao said.

The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.

The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.

They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.

ODGen shows how much more needs to be done to secure the open source JavaScript ecosystem and how the adaptation of existing tools can help in developing holistic approaches to securing Node.js libraries.

In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Kwara’s Sugar Factory studios to host Elite Vibez Awards
Entertainment3 hours ago

Kwara’s Sugar Factory studios to host Elite Vibez Awards

Mc Edopikin plans collaboration of Lagos, Edo entertainers at comedy show
Entertainment4 hours ago

Mc Edopikin plans collaboration of Lagos, Edo entertainers at comedy show

Naija Prime set to take film, content industry to new heights
Entertainment4 hours ago

Naija Prime set to take film, content industry to new heights

Justin Timberlake sentenced to community service for drunk driving
Entertainment12 hours ago

Justin Timberlake sentenced to community service for drunk driving

Garmin announces new smartwatch update with race time prediction improvement
Technology19 hours ago

Garmin announces new smartwatch update with race time prediction improvement

Sad! Nollywood actor, Big Larry passed on
Entertainment19 hours ago

Sad! Nollywood actor, Big Larry passed on

Xiaomi reveals new Smart Bathroom Heater N1 with rapid heating
Technology19 hours ago

Xiaomi reveals new Smart Bathroom Heater N1 with rapid heating

Enzo Maresca provides Romeo Lavia, Malo Gusto and Reece James injury update ahead of Bournemouth clash
Sports20 hours ago

Enzo Maresca provides Romeo Lavia, Malo Gusto and Reece James injury update ahead of Bournemouth clash

Cristiano Ronaldo breaks all past records with one billion followers on social media
Sports20 hours ago

Cristiano Ronaldo breaks all past records with one billion followers on social media

Yemi Alade awarded Spotify's EQUAL Africa artist
Entertainment20 hours ago

Yemi Alade awarded Spotify’s EQUAL Africa artist

Detained police spy apologizes to IGP for political rants
News21 hours ago

Detained police spy apologizes to IGP for political rants

FG plans upgrade of Borno dam to prevent floods
News21 hours ago

FG plans upgrade of Borno dam to prevent floods

Nigerian Air Force Officer Gets Sword Of Honour In UK College
News21 hours ago

Nigerian Air Force Officer Gets Sword Of Honour In UK College

Xiaomi launches new cheaper Redmi Projector 3 with in-built speakers
Technology2 days ago

Xiaomi launches new cheaper Redmi Projector 3 with in-built speakers

New Garmin Forerunner smartwatch software now available with updated vibration feature
Technology2 days ago

New Garmin Forerunner smartwatch software now available with updated vibration feature

Jamie Carragher responds to Gary Neville's "harsh" remark on the Arsenal star
Sports2 days ago

Jamie Carragher responds to Gary Neville’s “harsh” remark on the Arsenal star

Brighton manager Fabian Hurzeler provided an update on Joao Pedro's fitness
Sports2 days ago

Brighton manager Fabian Hurzeler provided an update on Joao Pedro’s fitness

Basketmouth fuels engagement rumours in new Instagram post
Entertainment2 days ago

Basketmouth fuels engagement rumours in new Instagram post

Nasarawa lawmaker Jeremiah Umaru seeks solutions to rising insecurity in constituency
News2 days ago

Nasarawa lawmaker Jeremiah Umaru seeks solutions to rising insecurity in constituency

President Bola Tinubu meets with King Charles to strengthen Nigeria-UK diplomatic ties
News2 days ago

President Bola Tinubu meets with King Charles to strengthen Nigeria-UK diplomatic ties

Burna Boy,Tems and Ayra Starr miss out as Taylor Swift, others bag 2024 MTV VMAwards
Entertainment2 days ago

Burna Boy,Tems and Ayra Starr miss out as Taylor Swift, others bag 2024 MTV VMAwards

A car tragedy claims the lives of two Ondo State Polytechnic students
News2 days ago

A car tragedy claims the lives of two Ondo State Polytechnic students

Real Warri Pikin: How I attempted suicide over N22m debt
Entertainment2 days ago

Real Warri Pikin: How I attempted suicide over N22m debt

Oracle is currently developing a nuclear trio-powered data center
Technology3 days ago

Oracle is currently developing a nuclear trio-powered data center

China refuses to ratify a deal that bans AI from controlling nuclear weapons.
Technology3 days ago

China refuses to ratify a deal that bans AI from controlling nuclear weapons

Todd Boehly and Behdad Eghbali ‘hurt’ by two transfer decisions
Sports3 days ago

Todd Boehly and Behdad Eghbali ‘hurt’ by two transfer decisions

Uruguay star Manuel Ugarte plays through illness ahead of Manchester United debut
Sports3 days ago

Uruguay star Manuel Ugarte plays through illness ahead of Manchester United debut

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic
Entertainment3 days ago

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic

‘I saw the Jonas Brothers for the first time – this unexpected thing truly surprised me’
Entertainment3 days ago

‘I saw the Jonas Brothers for the first time – this unexpected thing truly surprised me’

Ondo poll: PDP gov candidate encourages citizens to avoid violence.
News3 days ago

Ondo poll: PDP gov candidate encourages citizens to avoid violence.

19-year-old lady stabs neighbour’s son to death in Lagos
News3 days ago

19-year-old lady stabs neighbour’s son to death in Lagos

Don't victimize anyone, Fubara warns Rivers monarchs
News3 days ago

Don’t victimize anyone, Fubara warns Rivers monarchs

Tems
Celebrity3 days ago

Tems Break Silence on Pregnancy for Future: “Wizkid, Drake”

Harry Styles, Taylor Swift dominate Spotify Wrapped 2022
Celebrity3 days ago

Taylor Swift endorses Kamala Harris for US President

Wizkid Paid N1.4B For Ferrari - Dealer
Celebrity3 days ago

Wizkid Paid N1.4B For Ferrari – Dealer

Nigeria will not end me — Nicki Minaj voice out
Entertainment3 days ago

Nigeria will not end me — Nicki Minaj voice out

British cancer patient frozen and flown to the US so he can wake up in the future
Technology4 days ago

British cancer patient frozen and flown to the US so he can wake up in the future

All features that makes iPhone 16 the best ever
Technology4 days ago

All features that makes iPhone 16 the best ever

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star
Sports4 days ago

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star

Childish Gambino forced to cancel tour with hours to go due to ‘physical health’
Entertainment4 days ago

Childish Gambino forced to cancel tour with hours to go due to ‘physical health’

Nigerian nurses in the UK, US forced back home
News7 days ago

Nigerian nurses in the UK, US forced back home

Dangote Refinery
Business7 days ago

Dangote Refinery: NUPENG Vows Protection

Nancy Isime revealed her initial fear of fame
Entertainment7 days ago

Nancy Isime revealed her initial fear of fame

Certain traits and contentious behaviors James Bond can’t have anymore in 2024
Entertainment7 days ago

Certain traits and contentious behaviors James Bond can’t have anymore in 2024

Elton John praises Donald Trump for using one of his songs
Entertainment6 days ago

Elton John praises Donald Trump for using one of his songs

Alex Unusual: I didn't leave social media because of AY pregnancy rumors
Entertainment7 days ago

Alex Unusual: I didn’t leave social media because of AY pregnancy rumors

Toyota Corolla One Of The Best-selling Cars Of All Time And For Good Reason
Automobile7 days ago

Toyota Cuts EV Target For 2026

US Open: Jack Draper reveals what made him throw up on court
Sports7 days ago

US Open: Jack Draper reveals what made him throw up on court

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe
Entertainment6 days ago

Amanda Abbington ‘burning’ at BBC for ‘boys club’ Giovanni Pernice bullying probe

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad
Sports6 days ago

Arsenal suffer injury scare as Riccardo Calafiori withdraws from Italy squad

US seeks access to ailing Binance executive
News6 days ago

US seeks access to ailing Binance executive

Tecno Pocket Go recognized for award-winning innovation in AR gaming
Technology7 days ago

Tecno Pocket Go recognized for award-winning innovation in AR gaming

Real Reason why Petrol from Dangote Refinery is Colorless
News6 days ago

Real Reason why Petrol from Dangote Refinery is Colorless

FG to construct blood collection facilities in 774 LGs
News7 days ago

FG to construct blood collection facilities in 774 LGs

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86
Entertainment6 days ago

Tributes flows in as Legendary 70s bassist Herbie Flowers dies at age 86

Edo State Government suspends school resumption over fuel price hike
News7 days ago

Edo State Government suspends school resumption over fuel price hike

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack
News6 days ago

Survivors of Yobe massacre: Decomposing bodies still litter our community after terrorist attack

Don't victimize anyone, Fubara warns Rivers monarchs
News3 days ago

Don’t victimize anyone, Fubara warns Rivers monarchs

19-year-old lady stabs neighbour’s son to death in Lagos
News3 days ago

19-year-old lady stabs neighbour’s son to death in Lagos

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star
Sports4 days ago

Odegaard’s teammate wants revenge following injury blow and gives update on Arsenal star

GTA 6 document provides a complete analysis of all leaks
Technology7 days ago

GTA 6 document provides a complete analysis of all leaks

Tesla’s Supercharger stations considered "illegal" in Germany
Automobile4 days ago

Tesla To Launch Its Full Self Driving Feature In Europe And China Early 2025

Nigeria will not end me — Nicki Minaj voice out
Entertainment3 days ago

Nigeria will not end me — Nicki Minaj voice out

Wizkid Paid N1.4B For Ferrari - Dealer
Celebrity3 days ago

Wizkid Paid N1.4B For Ferrari – Dealer

Speaker Tajudeen Abbas condemns kidnap of workers, patients in Kaduna hospital
News4 days ago

Speaker Tajudeen Abbas condemns kidnap of workers, patients in Kaduna hospital

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic
Entertainment3 days ago

The Apprentice trailer shows everything about sex and surgery in the ‘Oscar-worthy’ Donald Trump biopic

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance
Entertainment5 days ago

Kendrick Lamar creates history by headlining the 2025 Super Bowl Halftime solo performance

Harry Styles, Taylor Swift dominate Spotify Wrapped 2022
Celebrity3 days ago

Taylor Swift endorses Kamala Harris for US President

Apple Watch Ultra 2 gets a new black color and new straps
Technology5 days ago

Apple Watch Ultra 2 gets a new black color and new straps

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United
Sports7 days ago

Jamal Musiala confirms Joshua Zirkzee tried to get him to sign for Manchester United

Amazon Fire Stick users have found a brilliant technique to control their TVs
Technology6 days ago

Amazon Fire Stick users have found a brilliant technique to control their TVs

Tems
Celebrity3 days ago

Tems Break Silence on Pregnancy for Future: “Wizkid, Drake”

All features that makes iPhone 16 the best ever
Technology5 days ago

The Apple Store website breaks down just hours before the launch of iPhone 16

Manchester United star Rasmus Hojlund faces delay to injury return
Sports5 days ago

Manchester United star Rasmus Hojlund faces delay to injury return

European stock markets falls at open
News4 days ago

European stock markets falls at open

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery
Entertainment5 days ago

Noel Gallagher added ‘grumpy middle-aged man’ to the National Portrait Gallery

Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital
Sports4 days ago

Man who set Ugandan runner Rebecca Cheptegei on fire dies in hospital

Bauchi floods kill 24, destroy N22bn worth of property
News4 days ago

Bauchi floods kill 24, destroy N22bn worth of property

3,391 Civil Servants to take promotion examinations in Kaduna
News5 days ago

3,391 Civil Servants to take promotion examinations in Kaduna

Germany to expand border measures to stem irregular migration
News5 days ago

Germany to expand border measures to stem irregular migration

ANE Billboard Hots