DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules

The safe maintenance of Node.js modules is critical in the software security industry. Most server-side web applications are built on Node.js, an environment that is highly dependent on modules. However, there is clear lack of research on Node.js module security. This study focuses particularly on prototype pollution vulnerability, which is an emerging security vulnerability type that has also not been studied widely. To this point, the main goal of this paper is to propose patterns that can identify prototype pollution vulnerabilities. We developed an automatic static analysis tool called DAPP, which targets all the real-world modules registered in the Node Package Manager. DAPP can discover the proposed patterns in each Node.js module in a matter of a few seconds, and it mainly performs and integrates a static analysis based on abstract syntax tree and control flow graph. This study suggests an improved and efficient analysis methodology. We conducted multiple empirical tests to evaluate and compare our state-of-the-art methodology with previous analysis tools, and we found that our tool is exhaustive and works well with modern JavaScript syntax. To this end, our research demonstrates how DAPP found over 37 previously undiscovered prototype pollution vulnerabilities among 30,000 of the most downloaded Node.js modules. To evaluate DAPP, we expanded the experiment and ran our tool on 100,000 Node.js modules. The evaluation results show a high level of performance for DAPP along with the root causes for false positives and false negatives. Finally, we reported the 37 vulnerabilities, respectively, and obtained 24 CVE IDs mostly with 9.8 CVSS scores.

[1]  Manu Sridharan,et al.  DLint: dynamically checking bad coding practices in JavaScript , 2015, ISSTA.

[2]  M. Sharir,et al.  A strong-connectivity algorithm and its applications in data flow analysis. , 2018 .

[3]  Konrad Rieck,et al.  Generalized vulnerability extrapolation using abstract syntax trees , 2012, ACSAC '12.

[4]  Felix FX Lindner,et al.  Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities Using Machine Learning , 2011, WOOT.

[5]  TipFrank,et al.  Static analysis of event-driven Node.js JavaScript applications , 2015 .

[6]  Frank Piessens,et al.  NodeSentry: least-privilege library integration for server-side JavaScript , 2014, ACSAC '14.

[7]  Robert E. Tarjan,et al.  A fast algorithm for finding dominators in a flowgraph , 1979, TOPL.

[8]  Patrik Hrkut,et al.  Current Trends in Source Code Analysis, Plagiarism Detection and Issues of Analysis Big Datasets , 2017 .

[9]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[10]  Frank Tip,et al.  Static analysis of event-driven Node.js JavaScript applications , 2015, OOPSLA.

[11]  Andres Ojamaa,et al.  Assessing the security of Node.js platform , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[12]  James Davis,et al.  Node.fz: Fuzzing the Server-Side Event-Driven Architecture , 2017, EuroSys.

[13]  Benjamin Livshits,et al.  SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS , 2018, NDSS.

[14]  Baojiang Cui,et al.  An AST-based Code Plagiarism Detection Algorithm , 2015, 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA).

[15]  Koushik Sen,et al.  Jalangi: a selective record-replay and dynamic analysis framework for JavaScript , 2013, ESEC/FSE 2013.

[16]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Hamid Reza Shahriari,et al.  Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques , 2017, ACM Comput. Surv..

[18]  Xingyu Pan,et al.  CodEX: Source Code Plagiarism Detection Based on Abstract Syntax Tree , 2018, AICS.

[19]  Guillermo L. Grinblat,et al.  Toward Large-Scale Vulnerability Discovery using Machine Learning , 2016, CODASPY.

[20]  Ganesh Ram Santhanam,et al.  Statically-Informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[21]  François Gauthier,et al.  AFFOGATO: runtime detection of injection attacks for Node.js , 2018, ISSTA/ECOOP Workshops.

[22]  Haiyang Sun,et al.  Efficient dynamic analysis for Node.js , 2018, CC.

[23]  Richard W. Vuduc,et al.  Techniques for specifying bug patterns , 2007, PADTAD '07.

[24]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[25]  Lotfi Ben Othmane,et al.  Identification of Dependency-based Attacks on Node.js , 2017, ARES.

[26]  Rajiv Gupta Generalized dominators and post-dominators , 1992, POPL '92.

[27]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).