Connect with us
ANE Scholarship
Categories:

Technology

A JavaScript bug scanner using graphs finds more than 100 zero-day vulnerabilities in Node.js frameworks

Published

on

A JavaScript bug scanner using graphs finds more than 100 zero-day vulnerabilities in Node.js frameworks
Share this post:

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect a wide range of vulnerabilities in JavaScript programs.

Called ODGen, the tool was presented at this year’s Usenix Security Symposium and addresses some of the challenges that limited the use of graph-based security tools in analyzing JavaScript programs.

The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.

Graph-based methods

Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.

Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.

Inspired by the success of graph methods – particularly CPG – the researchers at Johns Hopkins University tried to apply them to JavaScript. While there are different tools for finding specific vulnerabilities in JavaScript code, graph-based tools promise to provide a general framework for detecting all kinds of vulnerabilities.

“JavaScript, particularly Node.js, is becoming a vital community with millions of packages these days,” Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University, told Daily Swig.

“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”

However, their initial findings showed that CPG is not very effective in JavaScript due to the language’s dynamic structure, which makes it much more difficult to parse and analyze object relations and program branches prior to execution.

“CPG does not model detailed object relations including (i) prototype chains and (ii) object-level data flows. Therefore, it is hard to apply CPG to detect JavaScript-specific vulnerabilities, such as Prototype Pollution and Internal Property Tampering. And it is hard to model fine-grained object-level data flows in CPG,” Cao said.

Object Dependence Graph

In their paper, the researchers propose Object Dependence Graph (ODG) as a novel method to build graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features that are specific to JavaScript, including fine-grained data dependency between objects. Accordingly, the researchers created ODGen, a tool for creating and querying ODGs.

“Our proposed ODGen abstractly interprets JavaScript code and generates a so-called Object Dependence Graph to capture such dynamic features including object relations so that a graph query-based approach can easily obtain such information and detect vulnerabilities,” Cao said.

The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.

The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.

They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.

ODGen shows how much more needs to be done to secure the open source JavaScript ecosystem and how the adaptation of existing tools can help in developing holistic approaches to securing Node.js libraries.

In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Sowore calls Peter Obi Obasanjo’s lapdog
News9 hours ago

Sowore calls Peter Obi Obasanjo’s lapdog

Eric Cantona offered to be Manchester United’s president of football
Sports10 hours ago

Eric Cantona offered to be Manchester United’s president of football

Watford appoint fifth manager in just under a year
Sports10 hours ago

Watford appoint fifth manager in just under a year

Gareth Southgate explains decision to leave Alexander-Arnold out of England squad
Sports10 hours ago

Gareth Southgate explains decision to leave Alexander-Arnold out of England squad

Harvey Manson reveals ongoing consideration for Afrobeats category
Entertainment12 hours ago

Harvey Manson reveals ongoing consideration for Afrobeats category

Fifa unveils the Soundtrack for Fifa 2023
Entertainment12 hours ago

Fifa unveils the Soundtrack for Fifa 2023

‘I can’t wait for the adventures’ – Molly-Mae Hague expecting first child with Tommy Fury
Entertainment1 day ago

‘I can’t wait for the adventures’ – Molly-Mae Hague expecting first child with Tommy Fury

Rihanna
Entertainment1 day ago

Rihanna headlining Super Bowl Halftime Show 2023

Your daily horoscope for Monday, July 25, 2022
Horoscope1 day ago

Your daily horoscope for Monday, September 26, 2022

Police arrest 84-year-old man in Ogun State
News2 days ago

Police arrest 84-year-old man in Ogun State

Christian clergy advises against costly funerals
News2 days ago

Christian clergy advises against costly funerals

News2 days ago

Saraki breaks silence over PDP crisis

Peter Obi
News2 days ago

2023 Election: Peter Obi list his major priorities

News2 days ago

Labour Party applauds Nigerians for supporting Obi’s campaign

Manchester united reveals replacement for David De Gea
Sports2 days ago

Manchester united reveals replacement for David De Gea

Pierre-Emerick Aubameyang opens up about ‘bad moments’ at former club
Sports2 days ago

Pierre-Emerick Aubameyang opens up about ‘bad moments’ at former club

Dean Henderson shares key insight on training with Marcus Rashford
Sports2 days ago

Dean Henderson shares key insight on training with Marcus Rashford

The first four-door SUV from Ferrari is a prancing horse for all occasions
Technology2 days ago

The first four-door SUV from Ferrari is a prancing horse for all occasions

Man United confirm Lisandro Martinez deal with Ajax
Sports2 days ago

Lisandro Martinez responds to criticism after being labelled ‘too small’ by pundits

I have plans to work with talented music stars – Singer
Entertainment2 days ago

I have plans to work with talented music stars – Singer

BBNaija taught me forgiveness – Doyin
Entertainment2 days ago

BBNaija taught me forgiveness – Doyin

I get odd remarks for singing trending songs – Jude Chukwuka
Entertainment2 days ago

I get odd remarks for singing trending songs – Jude Chukwuka

BBNaija S7: Housemates inch closer to N100m prize
Entertainment2 days ago

BBNaija S7: Housemates inch closer to N100m prize

Your daily horoscope for Monday, July 25, 2022
Horoscope2 days ago

Your daily horoscope for Sunday, September 25, 2022

Your weekly tarot horoscope for July 24 to July 30 – and Jupiter going retrograde
Horoscope2 days ago

Your weekly tarot horoscope for September 25 to October 1 and the start of Libra season

Nintendo logo
Technology2 days ago

Nintendo Set To Cut Off Facebook, Twitter

Leo Messi
Sports2 days ago

Lionel Messi Admits He Struggled Last Season

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Final Episode 42)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Episode 41)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Episode 40)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Episode 39)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Episode 38)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories2 days ago

[STORY] AFRICA MY LOVER (Episode 37)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 36)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 35)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 34)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 33)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 32)

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Episode 31)

Chelsea to sign Fulham’s teenage wonderkid Luke Harris
Sports3 days ago

Chelsea to sign Fulham’s teenage wonderkid Luke Harris

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Complete Episodes)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Final Episode 68)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 61)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 65)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 67)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 62)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 63)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 66)

AYOMIDE story by Franca Uwuigiaren _ ANE Story
ANE Stories5 days ago

[STORY] AYOMIDE (Complete Episodes)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 64)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 60)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 59)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 58)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 57)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 01)

Flour Mills Nigeria
Business7 days ago

Honeywell: Flour Mills Appoint New Management, Board After Takeover

AFRICA MY LOVER by Sadiq_Infinity (Capri Leo) - ANE Story
ANE Stories3 days ago

[STORY] AFRICA MY LOVER (Complete Episodes)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 52)

Robert Lewandowski now has sole ownership of third place on the all-time Champions League top scorers list
Sports7 days ago

Why I Struggled Against Bayern Munich – Lewandowski Reveals

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 54)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 56)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 55)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Final Episode 53)

AMAKA THE LESBIAN
ANE Stories4 days ago

[STORY] AMAKA THE LESBIAN (Episode 53)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 47)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 52)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 50)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 51)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 45)

HIS GIFT, YOUR LIFE by MIRIAM EDEM _ AllNaijaEntertainment
ANE Stories3 days ago

[STORY] HIS GIFT, YOUR LIFE (Complete Episodes)

Your star sign’s tarot horoscope – The New Moon in Libra is all about living well
Horoscope4 days ago

Your star sign’s tarot horoscope – The New Moon in Libra is all about living well

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 18)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 40)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 43)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 20)

AYOMIDE story by Franca Uwuigiaren _ ANE Story
ANE Stories5 days ago

[STORY] AYOMIDE (Episode 01)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 22)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 35)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 24)

BEHIND CHURCH DOORS Story - ANE Story
ANE Stories5 days ago

[STORY] BEHIND CHURCH DOORS (Episode 14)

ANE Billboard Hots